From 511f7711f1f53c0453b498c2ea80882deffd2427 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 9 Jul 2019 19:49:08 +0200 Subject: [PATCH] Updated the setup articles to always use the Symfony local web server --- _build/redirection_map | 1 + contributing/code/security.rst | 3 +- quick_tour/the_big_picture.rst | 8 ++--- security.rst | 6 ---- security/security_checker.rst | 29 ------------------ setup.rst | 56 +++++++++++++++++++--------------- setup/built_in_web_server.rst | 11 ++++--- setup/symfony_server.rst | 22 +++++++++---- 8 files changed, 61 insertions(+), 75 deletions(-) delete mode 100644 security/security_checker.rst diff --git a/_build/redirection_map b/_build/redirection_map index 01de4d3eecc..02d9fc81cc6 100644 --- a/_build/redirection_map +++ b/_build/redirection_map @@ -424,3 +424,4 @@ /contributing/community/other /contributing/community /profiler/storage /profiler /setup/composer /setup +/security/security_checker /setup diff --git a/contributing/code/security.rst b/contributing/code/security.rst index f263d3c4fc2..344661b4958 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -169,7 +169,8 @@ Security Advisories .. tip:: You can check your Symfony application for known security vulnerabilities - using the ``security:check`` command (see :doc:`/security/security_checker`). + using the ``security:check`` command provided by the + :ref:`Symfony security checker `. Check the `Security Advisories`_ blog category for a list of all security vulnerabilities that were fixed in Symfony releases, starting from Symfony diff --git a/quick_tour/the_big_picture.rst b/quick_tour/the_big_picture.rst index d947f17e55e..7ec7f08ac51 100644 --- a/quick_tour/the_big_picture.rst +++ b/quick_tour/the_big_picture.rst @@ -41,13 +41,13 @@ Symfony application: Can we already load the project in a browser? Yes! You can setup :doc:`Nginx or Apache ` and configure their -document root to be the ``public/`` directory. But, for development, Symfony has -its own server. Install and run it with: +document root to be the ``public/`` directory. But, for development, it's better +to :doc:`install the Symfony local web server ` and run +it as follows: .. code-block:: terminal - $ composer require --dev server - $ php bin/console server:start + $ symfony server:start Try your new app by going to ``http://localhost:8000`` in a browser! diff --git a/security.rst b/security.rst index 394a20c9239..0def4e394f2 100644 --- a/security.rst +++ b/security.rst @@ -928,11 +928,6 @@ For example, in a controller extending from the :ref:`base controller ` that looks for the user roles in the database. -Checking for Security Vulnerabilities in your Dependencies ----------------------------------------------------------- - -See :doc:`/security/security_checker`. - Frequently Asked Questions -------------------------- @@ -1005,7 +1000,6 @@ Authorization (Denying Access) security/access_denied_handler security/acl security/force_https - security/security_checker .. _`frameworkextrabundle documentation`: https://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/index.html .. _`HWIOAuthBundle`: https://github.com/hwi/HWIOAuthBundle diff --git a/security/security_checker.rst b/security/security_checker.rst deleted file mode 100644 index 331270f86ec..00000000000 --- a/security/security_checker.rst +++ /dev/null @@ -1,29 +0,0 @@ -.. index:: - single: Security; Vulnerability Checker - -How to Check for Known Security Vulnerabilities in Your Dependencies -==================================================================== - -When using lots of dependencies in your Symfony projects, some of them may -contain security vulnerabilities. That's why the :doc:`Symfony local server ` -includes a command called ``security:check`` that checks your ``composer.lock`` -file to find known security vulnerabilities in your installed dependencies: - -.. code-block:: terminal - - $ symfony security:check - -A good security practice is to execute this command regularly to be able to -update or replace compromised dependencies as soon as possible. The security -check is done locally by cloning the `security advisories database`_ published -by the FriendsOfPHP organization, so your ``composer.lock`` file is not sent on -the network. - -.. tip:: - - The ``security:check`` command terminates with a non-zero exit code if - any of your dependencies is affected by a known security vulnerability. - This way you can add it to your project build process and your continuous - integration workflows to make them fail when there are vulnerabilities. - -.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories diff --git a/setup.rst b/setup.rst index 2d882e97332..004425809e8 100644 --- a/setup.rst +++ b/setup.rst @@ -10,28 +10,42 @@ Installing & Setting up the Symfony Framework Do you prefer video tutorials? Check out the `Stellar Development with Symfony`_ screencast series. -To create your new Symfony application, first make sure you're using PHP 7.1 or -higher and have `Composer`_ installed. If you don't, start by `installing Composer`_. +Installing Symfony +------------------ -Create your new project by running: +Before creating your first Symfony application, make sure to meet the following +requirements: + +* Your server has PHP 7.1 or higher installed (and :doc:`these PHP extensions ` + which are installed and enabled by default by PHP); +* You have `installed Composer`_, which is used to install PHP packages; +* You have installed the :doc:`Symfony local web server `, + which provides all the tools you need to develop your application locally. + +Once these requirements are installed, open your terminal and run any of these +commands to create the Symfony application: .. code-block:: terminal - $ composer create-project symfony/website-skeleton my-project + # run this if you are building a traditional web application + $ symfony new --full my_project -This will create a new ``my-project`` directory, download some dependencies into -it and even generate the basic directories and files you'll need to get started. -In other words, your new app is ready! + # run this if you are building a microservice, console application or API + $ symfony new my-project -.. tip:: +The only difference between these two commands is the number of packages +installed. The ``--full`` option installs all the packages that you usually +need to build web apps. Therefore, the installation size will be much bigger. - The ``website-skeleton`` is optimized for traditional web applications. If - you are building microservices, console applications or APIs, consider - using the much simpler ``skeleton`` project: +Both commands will create a new ``my-project/`` directory, download some +dependencies into it and even generate the basic directories and files you'll +need to get started. In other words, your new app is ready! - .. code-block:: terminal +.. seealso:: - $ composer create-project symfony/skeleton my-project + If you can't use the ``symfony`` command provided by the Symfony local web + server, use the alternative installation commands based on Composer and + displayed on the `Symfony download page`_. Running your Symfony Application -------------------------------- @@ -39,14 +53,14 @@ Running your Symfony Application On production, you should use a web server like Nginx or Apache (see :doc:`configuring a web server to run Symfony `). But for development, it's more convenient to use the -:doc:`Symfony Local Web Server `. +:doc:`Symfony Local Web Server ` installed earlier. This local server provides support for HTTP/2, TLS/SSL, automatic generation of security certificates and many other features. It works with any PHP application, not only Symfony projects, so it's a very useful development tool. -`Download the Symfony local web server`_, install it, move into your new project -directory and start the local web server as follows: +Open your terminal, move into your new project directory and start the local web +server as follows: .. code-block:: terminal @@ -113,13 +127,6 @@ command which displays information about the app: $ php bin/console about -Checking for Security Vulnerabilities -------------------------------------- - -Symfony provides a utility called the "Security Checker" to check whether your -project's dependencies contain any known security vulnerability. Check out -the integration instructions for `the Security Checker`_ to set it up. - The Symfony Demo application ---------------------------- @@ -153,8 +160,9 @@ Go Deeper with Setup .. _`Stellar Development with Symfony`: http://symfonycasts.com/screencast/symfony .. _`Composer`: https://getcomposer.org/ -.. _`installing Composer`: https://getcomposer.org/download/ +.. _`installed Composer`: https://getcomposer.org/download/ .. _`Download the Symfony local web server`: https://symfony.com/download +.. _`Symfony download page`: https://symfony.com/download .. _`the Security Checker`: https://github.com/sensiolabs/security-checker#integration .. _`The Symfony Demo application`: https://github.com/symfony/demo .. _`symfony/symfony-demo`: https://github.com/symfony/demo diff --git a/setup/built_in_web_server.rst b/setup/built_in_web_server.rst index 2837c004bd0..3f13a4c712c 100644 --- a/setup/built_in_web_server.rst +++ b/setup/built_in_web_server.rst @@ -4,16 +4,17 @@ How to Use PHP's built-in Web Server ==================================== +.. caution:: + + This article explains how to use the web server based on the WebServerBundle. + This is no longer recommended in new Symfony applications. Instead, use the + :doc:`Symfony Local Web Server `. + The PHP CLI SAPI comes with a `built-in web server`_. It can be used to run your PHP applications locally during development, for testing or for application demonstrations. This way, you don't have to bother configuring a full-featured web server such as :doc:`Apache or Nginx `. -.. tip:: - - The preferred way to develop your Symfony application is to use - :doc:`Symfony Local Web Server `. - .. caution:: The built-in web server is meant to be run in a controlled environment. diff --git a/setup/symfony_server.rst b/setup/symfony_server.rst index b84709b01d4..aa8066e2d21 100644 --- a/setup/symfony_server.rst +++ b/setup/symfony_server.rst @@ -321,20 +321,29 @@ Bonus Features In addition to being a local web server, the Symfony server provides other useful features: +.. _security-checker: + Looking for Security Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Instead of installing the :doc:`Symfony Security Checker ` -as a dependency of your projects, you can run the following command: +Run the following command to check whether your project's dependencies contain +any known security vulnerability: .. code-block:: terminal $ symfony security:check -This command uses the same vulnerability database as the Symfony Security -Checker but it does not make HTTP calls to the official API endpoint. Everything -(except cloning the public database) is done locally, which is the best for CI -(*continuous integration*) scenarios. +A good security practice is to execute this command regularly to be able to +update or replace compromised dependencies as soon as possible. The security +check is done locally by cloning the public `PHP security advisories database`_, +so your ``composer.lock`` file is not sent on the network. + +.. tip:: + + The ``security:check`` command terminates with a non-zero exit code if + any of your dependencies is affected by a known security vulnerability. + This way you can add it to your project build process and your continuous + integration workflows to make them fail when there are vulnerabilities. Creating Symfony Projects ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -370,3 +379,4 @@ that Composer will also set the stability to ``dev`` for all root dependencies): .. _`Docker`: https://en.wikipedia.org/wiki/Docker_(software) .. _`SymfonyCloud`: https://symfony.com/cloud/ .. _`Read SymfonyCloud technical docs`: https://symfony.com/doc/master/cloud/intro.html +.. _`PHP security advisories database`: https://github.com/FriendsOfPHP/security-advisories