there are other threads that answer to some of your questions . I will recap here for you and all that need them
To deploy formalms on a linux / bsd environment the best package is the tar.gz that contains files and directories already set with rigth permissions, if you can untar directly on the server , otherwise tar or zip format are the same and have same contents.
The permissions suggested for security are:
- Beginning from the DOCROOT or from the directory where formalms are published:
- All directories and files owned by a specific user, nor root nor apache web server user (www-data under debian/ubuntu, apache under redhat , centos , ...)
- All directories with permissions: 755 (write permision only for owner) or 555 (no write permissions at all, only read)
- All files with permisisons: 644 (write permision only for owner) or 444 (no write permissions, only read)
- All directories under files directory (the webserver write uploaded or generated files under this one):
- Directories and files owned by web server user
- All directories permissions: 755
- All files: 644
With above configrutation, config.php file is not writeble by web server. During install you must download the generated one from browser and upload to the web server.
At the and of installation remove install and upgrade directories or rename them with unusual and strange name to prevent the use from anyone.
Which files, directories should be blocked from outside, I do not understand every regex in .htaccess?
the root .htaccess blocks , from start to end:
- blocks all files: .htpasswd , *.ini, *.php, *.fla , *.psd, *.log , *.sh
- blocks all composer configuration files : composer.json , composer.lock
- blocks all variant of readme files (eg. readme.txt, readme.md, ..)
- permits only php entry files: index.php, cron.php, tasks.php, ...
the .htaccess under files directory:
- remove web server execution for well know web scripts engine (cgi, php, ruby , python, perl, asp, aspx)
- disable php engine both php5 and php 7
minimum php module needed are checked at installation time, you can check php also from the global admin dashboard (Server configuration link), here some hints:
- GD, intl are wellcome
- opcache (or other cache system) can be used
- memcache (or similar) can be used (must be correctly configured) for sessions