michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e30753ba0e9e8ed6d3c26566b0824ca7c7496ea7
michaelschiemer/PRODUCTION-SECURITY-UPDATES.md
Michael Schiemer e30753ba0e fix: resolve RedisCache array offset error and improve discovery diagnostics 
- Fix RedisCache driver to handle MGET failures gracefully with fallback
- Add comprehensive discovery context comparison debug tools
- Identify root cause: WEB context discovery missing 166 items vs CLI
- WEB context missing RequestFactory class entirely (52 vs 69 commands)
- Improved exception handling with detailed binding diagnostics
2025-09-12 20:05:18 +02:00

4.9 KiB
Raw Blame History

Production Security Configuration Updates

Overview

Updated the production security configuration for michaelschiemer.de using a SINGLE docker-compose.yml approach with environment-based configuration.

Critical Security Fixes Applied

1. Performance Debug Information

  • Issue: Performance debug information was visible on production
  • Fix: Updated PerformanceServiceInitializer.php to strictly check both APP_ENV=production AND APP_DEBUG=false
  • Result: Debug performance tracking disabled in production (ANALYTICS_TRACK_PERFORMANCE=false in .env.production)

2. Session Debug Data Exposure

  • Issue: Session debug data was exposed in production
  • Fix: Performance service now disables detailed reports in production
  • Result: Session info and debug data hidden when APP_ENV=production

3. Admin Routes Security

  • Issue: Admin routes were not properly secured
  • Fix: Added ProductionSecurityMiddleware to middleware stack (priority #2 - early execution)
  • Result: Admin/debug routes return 404 in production, IP-restricted routes require whitelist

Files Updated

1. /src/Framework/Http/MiddlewareManager.php

  • Added ProductionSecurityMiddleware to middleware stack (position #2 for early execution)
  • Updated middleware numbering to maintain proper order

2. /deploy.sh

  • Changed deployment to copy .env.production to .env instead of using .env.example
  • Added production configuration validation step
  • Added security endpoint testing during deployment

3. /.env.production

  • Added ADMIN_ALLOWED_IPS=127.0.0.1,::1 for IP whitelisting
  • Set ANALYTICS_TRACK_PERFORMANCE=false to disable debug performance tracking
  • Confirmed XDEBUG_MODE=off for production

4. Created /test-security.sh

  • Comprehensive security testing script for local validation
  • Tests blocked routes, IP-restricted routes, and environment configuration

Security Middleware Configuration

ProductionSecurityMiddleware Behavior

Blocked Routes in Production (returns 404):

  • /admin/discovery
  • /admin/routes
  • /admin/performance
  • /admin/environment
  • /debug
  • /performance
  • /api/debug

IP-Restricted Routes in Production (requires whitelist):

  • /admin
  • /analytics
  • /health
  • /metrics

Allowed IPs (configurable via ADMIN_ALLOWED_IPS environment variable):

  • 127.0.0.1 (localhost IPv4)
  • ::1 (localhost IPv6)
  • Additional IPs can be added as comma-separated values

Environment-Based Configuration

Single docker-compose.yml Approach

  • Uses APP_ENV environment variable to control behavior
  • Dockerfile uses ENV build argument for environment-specific builds
  • Same containers work for both development and production

Environment Variable Control

  • Development: APP_ENV=development, APP_DEBUG=true

    • Full debug information visible
    • All routes accessible
    • Performance tracking enabled

  • Production: APP_ENV=production, APP_DEBUG=false

    • Debug information hidden
    • Admin/debug routes blocked
    • Performance tracking disabled
    • IP restrictions enforced

Validation & Testing

Local Testing Commands

# Test security configuration
./test-security.sh

# Test with production environment locally
docker exec php bash -c "cp .env.production .env && php test-production-config.php"

# Restore development environment
docker exec php cp .env.production.backup .env

Deployment Validation

The deployment script now automatically:

  1. Validates APP_ENV=production and APP_DEBUG=false
  2. Tests that debug routes return 404
  3. Confirms environment is properly configured

Manual Production Testing

After deployment, verify from external IP:

# Should return 404
curl -H "User-Agent: Mozilla/5.0" https://michaelschiemer.de/debug
curl -H "User-Agent: Mozilla/5.0" https://michaelschiemer.de/admin/discovery

# Should return 403 (unless your IP is whitelisted)
curl -H "User-Agent: Mozilla/5.0" https://michaelschiemer.de/admin
curl -H "User-Agent: Mozilla/5.0" https://michaelschiemer.de/health

Key Security Improvements

  1. Zero Debug Information Leakage: No performance data, session info, or debug details in production
  2. Route-Level Security: Admin and debug routes completely blocked (404 response)
  3. IP-Based Access Control: Critical routes restricted to whitelisted IPs
  4. Environment Validation: Automatic validation during deployment
  5. Single Configuration: One docker-compose.yml handles both dev and prod modes

Deployment Process

  1. Pre-deployment: Local testing with production environment simulation
  2. Deployment: Automatic copy of .env.production to .env
  3. Validation: Automatic environment and security testing
  4. Verification: Manual testing of critical security endpoints

The system now provides robust production security while maintaining development flexibility through environment-based configuration.

Reference in New Issue View Git Blame Copy Permalink