Forum

We are using Hiawatha to serve backends for several mobile apps. One of our apps is communicating with one of its API endpoint with PUT requests.

This is the the backend repo: Connfa Integration Server [github.com], it's actually a Laravel app.

Everytime the mobile apps send PUT requests to updateSchedule endpoint, contents of the public/index.php is overwritten with the JSON data, i.e.:

{"data":[1,4,3]}

As you might have easily guessed, this file level alteration renders the whole backend obsolete and mobile apps start to crash, panel becomes inaccessable.

My setup is Hiawatha v10.6, PHP 7.0.19-1, MariaDB 10.1.26 on Debian 9.1. And this is the virtual host config I use on Hiawatha. "EnableAlter = yes" is present at the binding level, scannerblocker UrlToolkit has regexes for bunch of common User-Agents and scannerblocker UrlToolkit blocks requests to alternative locations of phpMyAdmin and several other locations for xmlrpc etc. (Forum didn't allow me to post the message with their content, I had to remove them in order get pass the spam detection).

UrlToolkit {
        ToolkitID = laravel
        RequestURI exists Return
        Match [^?]*(\?.*)? Rewrite /index.php$1
}

VirtualHost {
        Hostname = app.domain.tld
        WebsiteRoot = /var/www/app.domain.tld/http/public
        StartFile = index.php
        Alias = /logs:/var/www/app.domain.tld/logs
        UseLocalConfig = yes
        AccessLogfile = /var/www/app.domain.tld/logs/access.log
        ErrorLogfile = /var/www/app.domain.tld/logs/error.log
        AlterList = allow all
        TimeForCGI = 50
        UseFastCGI = PHP7
        UseToolkit = scannerblocker
        UseToolkit = vulnerabilityblocker
        UseToolkit = laravel
        DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
        DenyBody = ^.*%3Cmeta.*%2F%3E.*$
        DenyBody = ^.*%3Ciframe.*%2F%3E.*$
        DenyBody = ^.*%00.*$
        PreventCSRF = yes
        PreventXSS = yes
        RandomHeader = 250
        CustomHeader = X-Frame-Options: DENY
        CustomHeader = X-XSS-Protection: 1; mode=block
        CustomHeader = X-Content-Type-Options: nosniff
        CustomHeader = Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic' http:; form-action 'self'; frame-ancestors 'none';$
}

Trying different things for a couple of days now, but couldn't solve it yet. So I thought the issue might be related to Hiawatha. To be sure, I moved the backend to another server, which runs nginx, and I used the virtual host config below:

server {
		listen 80;
		root /var/www/app.domain.tld/http/public;
		index index.php index.html index.htm;
		access_log /var/www/app.domain.tld/logs/access.log;
		error_log /var/www/app.domain.tld/logs/error.log;	

		server_name app.domain.tld;

		location / {
				try_files $uri $uri/ /index.php?$query_string;
				dav_methods put;
				client_body_temp_path /var/www/app.domain.tld/http/public/temp;
				create_full_put_path on;
				client_max_body_size 0;
				dav_access user:rw group:rw all:rw;
		}

		location ~ \.php$ {
				try_files $uri =404;
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
				include fastcgi_params;
				fastcgi_index index.php;
				fastcgi_pass unix:/var/run/php5-fpm.sock;
		}
}

Mobile apps communicate successfuly with the backend with nginx and index.php left unaltered.

Am I doing something wrong in my Hiawatha setup? Or did I unintentionally step on a bug here?

Use the following setting for your virtual host:

VirtualHost {
  ...
  WebDAVapp = yes
}

I usually set app files' permissions so that they're not writeable by PHP and the webserver.

Out of interest, what is the reason here that a PHP file is being overwritten?

Because of the PUT request. A PUT request means: replace the content of the file with the request body.

Sorry for missing that part on the manual Hugo, thanks for pointing out, appreciated.

Problem has been solved.