Browsing to the root of my phabricator install demands that I log in to proceed further. However, if I brows to particular applications, e.g.:
https://phabricator.example.com/maniphest
or
https://phabricator.example.com/differential
appears to bypass the requirement that I log in.
This isn't a bug, there's just no logged-out/public view for the home page right now. See T3979.
If you don't want users to access applications without logging in, disable policy.allow-public. The documentation for the setting is (hopefully) clear about what this setting does:
Phabricator allows you to set the visibility of objects (like repositories and tasks) to 'Public', which means anyone on the internet can see them, without needing to log in or have an account.
This is intended for open source projects. Many installs will never want to make anything public, so this policy is disabled by default. You can enable it here, which will let you set the policy for objects to 'Public'.
Enabling this setting will immediately open up some features, like the user directory. Anyone on the internet will be able to access these features.
Does that make sense, or am I misunderstanding? I'll merge this into T3979 if it's just a confusion issue over the lack of a logged-out view for the homepage.
Aha, yes - this is a confusion issue - I don't recall setting that particular attribute, but may have whilst digging around in the settings. Sorry for the trouble.