hide composer vendor folder that's inside docroot

Question

We have setup about two dozen internal web applications. Now years later, I'd like to start using packages from external sources and installing items by using Composer which manages packages. I've never needed it before but would like to try adding some extra functionality to these sites.

The problem is none of these internal websites were setup with /project/public_html/ structures. The document root is the main directory inside WAMP.

So the DOCUMENT_ROOT directories look something like this:

c:\wamp64\www\my-site1\
c:\wamp64\www\my-site2\
c:\wamp64\www\my-site3\

Each project is different and might require different php packages. I'd like to be able to use Composer to manage the packages.

When you run Composer is creates a vendor folder. I know that good practice dictates that we should put it in a structure like this:

C:\wamp64\www\my-project1\vendor  //for vendor code
C:\wamp64\www\my-project1\public_html //for DOCUMENT_ROOT

But what I have ended up with is thus:

C:\wamp64\www\my-site1\vendor  //for vendor code specific to site1
C:\wamp64\www\my-site2\vendor  //for vendor code specific to site2

Can I use apache rewrite rules to hide this vendor folder and all child folders from the public web? Idea being it would deny a user that types in http://my-site1/vendor/somevendor/somefile.php but would still allow my scripts to require or include and use the files in that directory when needed.

Alternatively can I put vendor here:

 C:\wamp64\www\vendor 

and then somehow only include the vendor projects that I want? Not all vendor packages to every project, some way to specify which classes or packages I want to use on a per site basis.

Answer 1

You can simply place a .htaccess file in your vendor folder with:

Order allow,deny
Deny from all

Files inside the vendor folder won't be accessible by typing url in a browser but will be available for your scripts.

Answer 2

You may consider keeping vendors outside of docroot with following files structure:

c:\wamp64\www\my-site1\
c:\wamp64\www\my-site2\
c:\wamp64\www\my-site3\
c:\wamp64\www\vendors\my-site1\
c:\wamp64\www\vendors\my-site2\
c:\wamp64\www\vendors\my-site3\

Configuring vendor directory in composer.json:

"config": {
    "vendor-dir": "../vendors/my-site1"
},

And including autoloader in your index.php:

require __DIR__ . '/../vendors/my-site1/autoload.php';

---

If you can't change directory for vendors, you may use mod rewrite to disallow access to vendor directory. Put this into your main .htaccess file (for example to c:\wamp64\www\my-site1\.htaccess:

RewriteEngine on

RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]

Using .htaccess inside of vendor directory will also work, bu it is easy to accidentaly delete this file - usually vendor directory is not versioned in VCS and many problems with composer are solvable by "delete vendor directory and run composer install again" (which will also remove your .htaccess and make vendor directory accessible from web).