Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to hide config files from direct access?

I am using Laravel for web app. Uploaded everything on production and found out that some of the files can be directly accessed by url - for example http://example.com/composer.json

How to avoid that direct access?

like image 621
Yasen Ivanov Avatar asked May 29 '16 07:05

Yasen Ivanov


4 Answers

You're using wrong web server configuration. Point your web server to a public directory and restart it.

For Apache you can use these directives:

DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">

For nginx, you should change this line:

root /path_to_laravel_project/public;

After doing that, all Laravel files will not be accessible from browser anymore.

like image 185
Alexey Mezenin Avatar answered Oct 23 '22 21:10

Alexey Mezenin


That is incorrect. composer.json sits outside of the public directory and therefore should not be accessible. This means that your VirtualHost configuration is incorrect.

Please make sure that your path to your directory ends with /public.

like image 45
Ohgodwhy Avatar answered Oct 23 '22 22:10

Ohgodwhy


Point your web server to a public directory and restart it.

For Apache you can use these directives:

DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">

Also You Can Deny files in .htaccess too.

<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>

for multiple files you can add above files tag multiple times in .htaccess files.

like image 2
Abhijeet Navgire Avatar answered Oct 23 '22 21:10

Abhijeet Navgire


Point the web server to the public directory in the project's root folder

project root folder/public

but if you don't have the public folder and you are already pointing to the root folder, you can deny access by writing the following code in .htaccess file.

<Files ".env">
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>

in the above code, first we are denying from all and allowing only from the own server (localhost to the server) to get executed, and hence we can protect it from outside users.

like image 1
Reiah Paul Sam Avatar answered Oct 23 '22 20:10

Reiah Paul Sam