October: (Experimental) Testing the october:mirror command

@chrisvanderpoel wrote:

Looks like some backend assets aren't loading when using the october:mirror public command. Since w're serving from /public now, we're going to need to have backend assets respect that as well. Media manager, in particular, was what got my attention as it cannot load up some asset files in this configuration.

Watching this closely.

Watching this closely too.

We hope you are testing it closely also! :+1:

Will do!

If your goal for this command to be an ultimate "production hardener", and is meant to be used in conjunction with non-public dev site, a few files more files could be included.

These come to mind:

• favicon.ico
• robots.txt
• sitemap.xml
• giant list of apple icons

Added the files mentioned. The apple icons should live within the theme's asset directory and the path referenced in the markup, as per the linked documentation.

Commenting on this issue seems to have gone quiet. What was the consensus on this as a workable solution? Is this still considered a workaround rather than a core feature?

This was added to the documentation as an advanced feature. It works quite well for those who see this as an important function, although it still remains optional for accessibility reasons.

Thanks Samuel

This is a great feature for securing the deployed site! Thanks for that!
It works like a charm!

Now I am using some third party plugins that are attempting to access public/plugins/{plugin_author}/{plugin_name}/assets/...
I don't think copying the whole plugin folder to the public folder is a good idea as we would be allowing access to plugin files that are not supposed to be publicly available.

Is there anything a plugin developer should do to avoid the need of copying plugin folder to public folder?
I'm just wondering, what's the best practice here?

I don't think copying the whole plugin folder to the public folder is a good idea

The whole plugin folder is not copied, only the "assets" folder, which is a dedicated public folder for CSS and JS.

People are not supposed to be able to see your php code in your htm files under the folder /pagesright?
Well, on my end people can go to my domain and get the file from the url.
(Example: someurl.com/themes/example_theme/pages/home.htm)

By going to that url people are able to see the content of the htm file which contains the php code inside.

How can i fix this?

Check if you change or remove something from your .htaccess file. Normally your example link should show a “Page Not Found“ message (or your custom page not found message)

I haven't changed anything on the .htaccess file.
Here's a transcript:

<IfModule mod_rewrite.c>

    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    ##
    ## You may need to uncomment the following line for some hosting environments,
    ## if you have installed to a subdirectory, enter the name here also.
    ##
    # RewriteBase /

    ##
    ## Black list protected files
    ##
    RewriteRule ^themes/.*/(layouts|pages|partials)/.*.htm index.php [L,NC]
    RewriteRule ^bootstrap/.* index.php [L,NC]
    RewriteRule ^config/.* index.php [L,NC]
    RewriteRule ^vendor/.* index.php [L,NC]
    RewriteRule ^storage/cms/.* index.php [L,NC]
    RewriteRule ^storage/logs/.* index.php [L,NC]
    RewriteRule ^storage/framework/.* index.php [L,NC]
    RewriteRule ^storage/temp/protected/.* index.php [L,NC]
    RewriteRule ^storage/app/uploads/protected/.* index.php [L,NC]

    ##
    ## White listed folders and files
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} !\.js$
    RewriteCond %{REQUEST_URI} !\.map$
    RewriteCond %{REQUEST_URI} !\.ico$
    RewriteCond %{REQUEST_URI} !\.jpg$
    RewriteCond %{REQUEST_URI} !\.jpeg$
    RewriteCond %{REQUEST_URI} !\.bmp$
    RewriteCond %{REQUEST_URI} !\.png$
    RewriteCond %{REQUEST_URI} !\.gif$
    RewriteCond %{REQUEST_URI} !\.svg$
    RewriteCond %{REQUEST_URI} !\.css$
    RewriteCond %{REQUEST_URI} !\.less$
    RewriteCond %{REQUEST_URI} !\.scss$
    RewriteCond %{REQUEST_URI} !\.pdf$
    RewriteCond %{REQUEST_URI} !\.swf$
    RewriteCond %{REQUEST_URI} !\.txt$
    RewriteCond %{REQUEST_URI} !\.xml$
    RewriteCond %{REQUEST_URI} !\.xls$
    RewriteCond %{REQUEST_URI} !\.eot$
    RewriteCond %{REQUEST_URI} !\.woff$
    RewriteCond %{REQUEST_URI} !\.woff2$
    RewriteCond %{REQUEST_URI} !\.ttf$
    RewriteCond %{REQUEST_URI} !\.flv$
    RewriteCond %{REQUEST_URI} !\.wmv$
    RewriteCond %{REQUEST_URI} !\.mp3$
    RewriteCond %{REQUEST_URI} !\.ogg$
    RewriteCond %{REQUEST_URI} !\.wav$
    RewriteCond %{REQUEST_URI} !\.avi$
    RewriteCond %{REQUEST_URI} !\.mov$
    RewriteCond %{REQUEST_URI} !\.mp4$
    RewriteCond %{REQUEST_URI} !\.mpeg$
    RewriteCond %{REQUEST_URI} !\.webm$
    RewriteCond %{REQUEST_URI} !\.mkv$
    RewriteCond %{REQUEST_URI} !\.rar$
    RewriteCond %{REQUEST_URI} !\.zip$
    RewriteCond %{REQUEST_URI} !docs/.*
    RewriteCond %{REQUEST_URI} !themes/.*
    RewriteRule ^ index.php [L,NC]

    ##
    ## Standard routes
    ##
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

</IfModule>

Interesting, normally mod rewrite rules forward all requests (except some exceptions) to index.php. This should be working good.

Is the rest of page working normally?

For some reason, it is not, and as you can imagine i'm really worried since my website can be compromised

Maybe something is corrupted on mod rewrite module, or the module isn't installed/configured. Check if this module working normally.

Can you make a fast clean install of OctoberCMS on a test folder to check is platform works with a clean install.

I finally found the problem. For some reason there was one rule in IIS that was forwarding all requests to index.php instead of using the .htaccess file first.

Thank you for the help!