More and more websites contain a security.txt file. Basically it's intended to supply contact info to who researchers can report found security vulnerabilities in your (hosted) website(s). You can find more information about security.txt here: https://www.digitaltrustcenter.nl/securitytxt (Dutch) https://securitytxt.org/ https://www.rfc-editor.org/rfc/rfc9116 I've created a PHP based way to dynamically create the file and implement it into all your hosted websites. It uses a config file so you can easily set the desired contact info. Your customers will still be able to overrule the file with one of their own in their documentroot. It can be installed into both Apache and Nginx. Here you find my files and how to install them onto your webserver: https://github.com/remkohat/dynamic-security.txt The last part of the installation "Server-wide", both Apache and Nginx, will now be explained for ISPConfig: Apache: Copy vhost.conf.master to create your own custom vhost template for your websites. Code: cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/ !Skip this step if you already have your own custom vhost template! Find these lines in /usr/local/ispconfig/server/conf-custom/vhost.conf.master: Code: <tmpl_if name="rewrite_enabled"> RewriteEngine on Insert this next line: Code: RewriteOptions Inherit Nginx: Copy nginx_vhost.conf.master to create your own custom vhost template for your websites. Code: cp /usr/local/ispconfig/server/conf/nginx_vhost.conf.master /usr/local/ispconfig/server/conf-custom/ !Skip this step if you already have your own custom vhost template! Find these lines in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master: Code: root <tmpl_var name='web_document_root_www'>; disable_symlinks if_not_owner from=$document_root; Insert this next line: Code: include /etc/nginx/snippets/securitytxt.conf; ISPConfig: To also implement security.txt into already existing websites you need to resync them. Go to: Tools >> Sync Tools >> Resync Check Websites, select your webserver and click Start. Test your website: You can test your website at https://en.internet.nl/ to see if the installation was successful. If on the result page Security.txt is checked green under Security options >> Other security options then all has gone well.
I've made some minor changes in a few files and the readme. A side note about testing your website: If you don't sign security.txt (with an OpenPGP key) the test results will give you a blue "i" instead of a green check, meaning the file is found and there are one or more recommendations.
At least under Apache it is possible to combine the server-wide deployment with a site-specific deployment using the same files. Obviously in another folder though. Copy the securitytxt folder to /var/www/<websitedomain>/private/ for example. Change the settings in /var/www/<websitedomain>/private/securitytxt/conf/config.php to your liking. Add this in your website settings under Options tab and Apache directives: Code: Alias /.well-known/security.php /var/www/<websitedomain>/private/securitytxt/securitytxt.php <Directory /var/www/<websitedomain>/private/securitytxt> Options SymLinksIfOwnerMatch Require all granted </Directory> # Disallow web access to directories that don't need it <Directory /var/www/<websitedomain>/private/securitytxt/conf> Require all denied </Directory> <Directory /var/www/<websitedomain>/private/securitytxt/sign> Require all denied </Directory> <Directory /var/www/<websitedomain>/private/securitytxt/snippet> Require all denied </Directory> Rewrite rules can be left out as they are already inherited from the server-wide deployment. If you want to sign with an OpenPGP key: Create a .gnupg folder and change ownership. For example: Code: mkdir /var/www/<websitedomain>/private/.gnupg chown www-data:www-data /var/www/<websitedomain>/private/.gnupg And add this line in /var/www/<websitedomain>/private/securitytxt/sign/sign.php as first line within the If statement: Code: putenv('GNUPGHOME=/var/www/<websitedomain>/private/.gnupg'); The same steps can be followed when there's no server-wide deployment active and you want to use the script standalone. You do then have to add the rewrite rules you can find in /var/www/<websitedomain>/private/securitytxt/conf/apache.conf in your website settings under Options tab and Apache directives. I'll check Nginx at a later date.
this file can't be under the root , it needs to be under the .well-known directory (these are new rules)
Root is still accepted as legacy according to https://www.rfc-editor.org/rfc/rfc9116#name-location-of-the-securitytxt And as my Apache and Nginx configs on GitHub redirect both /security.txt and /.well-known/security.txt to the same PHP script, so both its content is exactly the same, there wasn't any breach of rfc. Never the less, because root is considered legacy I deleted it from the configs.
Another update, v2.0.0 (final version, at least for the near future) Rewrite /.well-known/security.txt to HTTPS if HTTP is used as HTTPS is required by RFC9116 Bugfix in apache.conf Tested up to PHP8.3
@remkoh Hi remkoh, have you tested this on sites using apache with chrooted php? i've got it working on ubuntu 24.04 with nginx, and it works fine with both non-chrooted and chrooted php. with apache, i've got it working fine when the site is not using a chrooted php, but when i enable 'chroot php-fpm' the only response i get from the server is 'File not found'. and from the sites error log: Code: [Mon Nov 25 11:00:54.974048 2024] [proxy_fcgi:error] [pid 531403:tid 279558135804192] [remote 86.129.39.99:54862] AH01071: Got error 'Primary script unknown'
No I haven't tested chrooted php at all. Call to the script in Apache is completely different then Nginx. So I can't say I'm completely surprised.