Securely installing Magmi

Table of Contents

  1. Securing Magmi

Default installations of Magmi are disabled by the firewall in MageStack due to the extremely severe security risks it poses. If you wish to utilise Magmi, it must be installed and secured properly before use.

Securing Magmi

The most important first step is to ensure that the entire Magmi directory is not publicly accessible, only the web directory in the Magmi directory should be exposed, the remaining files should be unaccessible. Using a symlink is the easiest way to achieve this.

Just move the Magmi directory out of the document root, then create a symlink (with an obscure name, eg. some-obscure-name) back to the web directory.

cd /microcloud/domains/example/domains/example.com/http/
mv magmi ../___magmi
ln -s ../___magmi/web some-obscure-name

Then add the following location directive to your Nginx configuration file to protect by either IP or HTTP basic authorisation. Replace my.ip.add.ress, /microcloud/domains/example/domains/example.com/___magmi/.htpasswd and some-obscure-name as necessary. Then reload Nginx for the changes to take effect.

location ~* ^/some-obscure-name {
  satisfy any;
  allow my.ip.add.ress;
  auth_basic "Restricted Access";
  # See https://www.sonassi.com/help/magestack/protecting-virtual-hosts-directories
  # for help using username/password restriction
  #auth_basic_user_file /microcloud/domains/example/domains/example.com/___magmi/.htpasswd;
  deny all;
  location ~* \.(php)$ {
    include fastcgi_params;
  }
  try_files $uri $uri/ @bootstrap;
}