Re: Your web server is set up incorrectly and allo...

TexasGreg · ‎02-12-2018

I wanted to share my experience dealing with this annoying message:

"Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider."

I think a lot of my issues are the result of using Openlitespeed for a web server.

I tried all sorts of solutions found on the Internet. Some did nothing and others broke the installation.

I determined that everything hinges on the permissions set for one file /app/etc/config.php.

No matter what permissions I set for config.php, and still have a functioning Magento, I get the error notice. I currently have the permissions set to 500 and owned by nobody:root

The error text comes from vendor/magento/module-admin-notification/Model/System/Message/Security.php

Here is the code for Security.php:

<?php
/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

namespace Magento\AdminNotification\Model\System\Message;

use Magento\Store\Model\Store;

/**
 * @api
 * @since 100.0.2
 */
class Security implements \Magento\Framework\Notification\MessageInterface
{
    /**
     * Cache key for saving verification result
     */
    const VERIFICATION_RESULT_CACHE_KEY = 'configuration_files_access_level_verification';

    /**
     * File path for verification
     *
     * @var string
     */
    private $_filePath = 'app/etc/config.php';

    /**
     * Time out for HTTP verification request
     *
     * @var int
     */
    private $_verificationTimeOut = 2;

    /**
     * @var \Magento\Framework\App\CacheInterface
     */
    protected $_cache;

    /**
     * @var \Magento\Backend\App\ConfigInterface
     */
    protected $_backendConfig;

    /**
     * @var \Magento\Framework\App\Config\ScopeConfigInterface
     */
    protected $_config;

    /**
     * @var \Magento\Framework\HTTP\Adapter\CurlFactory
     */
    protected $_curlFactory;

    /**
     * @param \Magento\Framework\App\CacheInterface $cache
     * @param \Magento\Backend\App\ConfigInterface $backendConfig
     * @param \Magento\Framework\App\Config\ScopeConfigInterface $config
     * @param \Magento\Framework\HTTP\Adapter\CurlFactory $curlFactory
     */
    public function __construct(
        \Magento\Framework\App\CacheInterface $cache,
        \Magento\Backend\App\ConfigInterface $backendConfig,
        \Magento\Framework\App\Config\ScopeConfigInterface $config,
        \Magento\Framework\HTTP\Adapter\CurlFactory $curlFactory
    ) {
        $this->_cache = $cache;
        $this->_backendConfig = $backendConfig;
        $this->_config = $config;
        $this->_curlFactory = $curlFactory;
    }

    /**
     * Check verification result and return true if system must to show notification message
     *
     * @return bool
     */
    private function _canShowNotification()
    {
        if ($this->_cache->load(self::VERIFICATION_RESULT_CACHE_KEY)) {
            return false;
        }

        if ($this->_isFileAccessible()) {
            return true;
        }

        $adminSessionLifetime = (int)$this->_backendConfig->getValue('admin/security/session_lifetime');
        $this->_cache->save(true, self::VERIFICATION_RESULT_CACHE_KEY, [], $adminSessionLifetime);
        return false;
    }

    /**
     * If file is accessible return true or false
     *
     * @return bool
     */
    private function _isFileAccessible()
    {
        $unsecureBaseURL = $this->_config->getValue(Store::XML_PATH_UNSECURE_BASE_URL, 'default');

        /** @var $http \Magento\Framework\HTTP\Adapter\Curl */
        $http = $this->_curlFactory->create();
        $http->setConfig(['timeout' => $this->_verificationTimeOut]);
        $http->write(\Zend_Http_Client::POST, $unsecureBaseURL . $this->_filePath);
        $responseBody = $http->read();
        $responseCode = \Zend_Http_Response::extractCode($responseBody);
        $http->close();

        return $responseCode == 200;
    }

    /**
     * Retrieve unique message identity
     *
     * @return string
     */
    public function getIdentity()
    {
        return 'security';
    }

    /**
     * Check whether
     *
     * @return bool
     */
    public function isDisplayed()
    {
        return $this->_canShowNotification();
    }

    /**
     * Retrieve message text
     *
     * @return \Magento\Framework\Phrase
     */
    public function getText()
    {
        return __(
            'Your web server is set up incorrectly and allows unauthorized access to sensitive files. '
            . 'Please contact your hosting provider.'
        );
    }

    /**
     * Retrieve message severity
     *
     * @return int
     */
    public function getSeverity()
    {
        return \Magento\Framework\Notification\MessageInterface::SEVERITY_CRITICAL;
    }
}

Notice this line

private $_filePath = 'app/etc/config.php';

if ($this->_isFileAccessible()) {
            return true;
        }

I changed "return true" to "return false" to kill the notice.

I know this is not the way to fix this but it's all I can do at my level of expertise.

UNSYS · ‎02-13-2018

I replied to this earlier... Where did my reply go ???

lucas_ende · ‎02-18-2020

Is there any solution for this issue?

Mukesh Tiwari · ‎02-19-2020

Hi @TexasGreg

It may be because of improper file permissions or publicly exposed files.
Please refer https://magento.stackexchange.com/a/101496/3895 and

https://www.mageplaza.com/kb/your-web-server-set-up-incorrectly-allows-unauthorized-access-sensitive...

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

MageRakesh · ‎08-16-2020

You need to do two things

1. Change your site URL from HTTP to HTTPS from admin

2. Change app/etc/config.php file permission to 660

If not showing yet, clear the cache with

php bin/magento c:c && php bin/magento c:f

3.Now change the append below code to the app/etc/env.php

'directories' => [
     'document_root_is_pub' => true 
]

4. Now switch the mode to production

bin/magento deploy:mode:set production
bin/magento cache:flush

5. Now switch back to developer mode

bin/magento deploy:mode:set developer
bin/magento cache:flush

Now check your store front-end and make sure it is working.

aivmx · ‎04-30-2022

And what about a shared web hostig?

It is enough just add:

'directories' => [
'document_root_is_pub' => true
]

To the env.php file?

Or what else can I do about it?

rimshadevr27ac · ‎06-05-2023

Check the permissions for the config.php file located in your Magento installation's app/etc/ directory.
Set the file permissions to 640 or 600 using the appropriate command, such as chmod 640 /path/to/magento/app/etc/config.php.
Ensure that the file is owned by the correct user and group, typically the web server user. Use the command chown user:group /path/to/magento/app/etc/config.php.
It's important to adhere to proper security practices. Consult your hosting provider or a Magento expert if you need assistance or further guidance.

By correctly configuring the file permissions and ownership, you can address the issue of unauthorized access without modifying any code.

Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.

Re: Your web server is set up incorrectly and allows unauthorized access to sensitive files.