Level 54
@gillesdeb where are you getting your 'Connection to site is not secure' error?
Sep 29, 2020
6
Level 5
!=deployed: Connection to site is not secure > Should I be worried
As title says, I get the warning that my connection is not secure (from what i read, this is a big no-no). The good news (at least I hope) is that I'm just testing in a local environment, the site is not deployed.
Between courses, I decided to read / search a bit more regarding this topic. But am left with a few doubts:
A) From what I understood, this is completely fine right? I mean as long as it is not deployed there is absolutely no risk (passwords, email, etc)?
B) Laravel should always be served out of the root of the "web directory" configured for your web server. You should not attempt to serve a Laravel application out of a subdirectory of the "web directory". Attempting to do so could expose sensitive files present within your application.
I have a hard time understanding this, could this be explained like I'm 5 years old or with an example?
C) Installing Laravel in a Subfolder? Hide your .env file.
Again, not really sure how to verify this. I have my project stored in a folder users/username/code/projectname clicking that folder my folder structure is exactly like this : https://laravel-news.com/subfolder-install
So I tried to retrieve my .env file by going to browser>projectname.test/.env -> resulted in a 404 In this case i thought I should get access to the .env file with important data. As this is not the case, can I conclude I was wrong?
D) Lastly, should I just leave it be for the time, until I get more confident with Laravel? Or is this a must do/know before everything else?
Thanks guys/girls!
Level 27
A. It simply means that between your browser and the server, there is no encryption of the traffic. If anyone is saving all the network traffic, they can see passwords in clear if they are being transmitted. Since it is your local network, it is usually assumed no one on your local network is saving the traffic.
B. If your Laravel project homepage loads in a URL like http://website.test/pubilc/ then the hacker can load http://website.test/public/../.env which will expose all your database passwords, keys and stuff. In other words, your webserver (Apache/Nginx) root directory setting point to /var/www/Laravel/public/ and not what some folks do, which is to point to just /var/www/Laravel/
C. Your URLs are messed up, but the idea is to ensure .env is not exposed. Same as B.
D. You have no issues for now. When going production, just make sure you have https instead of http
Level 5
@automica Chrome/Safari in / next to the address bar
Level 5
Thanks for the feedback @laracoft , can I ask a few more follow up questions?
A. 'it is usually assumed no one on your local network is saving the traffic' Basically the malicious person would need to have acces to my local network first right?
B. Uff not the case, so basically it's the same as installing laravel in a subfolder. I was so convinced I did because of the path (users/username/code/projectname)
C. My url is www.projectname.test/ (is that messed up or did I confuse you with putting that path there?
D. Thnx, bit more peace of mind
Level 27
A. Yes, that's the usual assumption.
B1. We can configure multiple domains on Apache, for e.g. it has a default path of /var/www/html => http://website.com/
B2. So if you install Laravel in /var/www/html/Laravel, and configure Apache to use http://laravelproject.com/ , one can still load http://website.com/Laravel/.env , and you got a problem.
B3. You want to make sure Laravel is installed elsewhere inaccessible by http://website.com/Laravel
C. Not quite sure what you meant by "hide" .env, but I think that is not possible. The approach is usually to ensure there is no path that can load the .env file like in B
1 like
Level 5
@laracoft Interesting, thnx for taking the time to help me understand the subject a bit better. At least I know that for now, I'm quite 'secure' but will have to go deeper into the subject later on (to-do post-its everywhere ^^ )
Thank you again
Please or to participate in this conversation.