Web hosting security

Question

I have some security question about web hosting, web root. I have build a web application in php and all my php, js and images files are place behind public_html (i use hostgator)

like this

    public_html/index.php
    public_html/images/foo.jpg
    public_html/javascript/foo.js
    public_html/css/foo.css
    public_html/upload/49845165748946.jpg (user upload images to this folder.)

I read few post and getting confuse about web root security and Im getting confuse

Q1. I have read a post said "Upload files below web root", what is below web root?

this one here/public_html/ or this one public_html/here

Q2. I have few php files are important, like connect_database.php, should I store this file in connect_datatbase.php/public_html so no one can access it. (This file is for include everytime my application need to connect to db) although php files only for server

Q. are there any others important I need to be careful when I upload all my files to server and go public?

I have use htaccess set up few important folder Deny from all (like backup db folder etc.) and Options -Indexes

Answer 1

First off, let's start off with a basic tree structure of your home directory (for a basic cPanel based setup):

└── /
    ├── etc
    ├── mail
    ├── public_ftp
    ├── public_html
    │   ├── css
    │   ├── images
    │   ├── javascript
    │   └── upload
    └── tmp

This tree may differ slightly in your case, but more or less, it will be the same.

Your web root is the location to which your HTTP server (be it Apache, Nginx, Lighttpd or some other software) points your current domain. In a typical cPanel setup, this is the public_html directory. So if your account is configured to use the domain example.com, all access to that domain would point directly to public_html. From there, everything will be relative to that location, so if someone tries to access your site like so: example.com/folder/file.php, the HTTP server will point them to public_html/folder/file.php.

Server side languages, on the other hand, work outside of the scope of your HTTP server. For example, PHP works as a separate process, which is called by a module of your HTTP server (in the case of Apache, it is mod_php). This allows for creating an interface between PHP and your web server (so that people can see the outcome of your PHP scripts). As PHP is a server side language, however, it can access directories outside of your web root (public_html).

For example, if you try to include a file with an absolute filename, like so:

<?php
    include '/foo.txt';
?>

The first slash tells the PHP interpreter that you are providing an absolute path. If you omit that slash, PHP will think that the path is relative to your current document (or the include path you have set using PHP's set_include_path function). PHP will actually try to fetch that file from the root directory. With Hostgator, your root directory will be your home directory, or the directory you see when you login via FTP. You are jailed in this directory as a security measure on Hostgator's part. Your actual home directory is probably something like /home/user_name_goes_here, and your public_html folder is located in /home/user_name_goes_here/public_html. But you cannot go outside of your home directory, because that would be a security risk, so you are limited to your home dir, which thus becomes your root dir.

On my local system, however, where I have root access (root = super admin) my root directory is the file system root directory (the equivalent to C:\ on Windows, assuming you have Windows installed on partition C). Considering this, you can include any file, such as:

<?php
    include include '/etc/apache2/apache2.conf';
?>

The above command includes the Apache configuration file (which on my system is located in /etc/apache2). On your Hostgator server, however, PHP would try to include this file from /home/user_name_goes_here/etc/apache2/apache2.conf. Starting to make sense?

Files outside of the web root are placed above the public_html directory, like so:

└── /
    ├── etc
    ├── mail
    ├── public_ftp
    ├── public_html
    │   ├── css
    │   ├── images
    │   ├── javascript
    │   └── upload
    ├── config.php
    └── tmp

In this tree, the file config.php is placed outside of the web root, and cannot be access via HTTP.

However even if you place these files within the public_html folder, the PHP code within them will never be displayed to the browser. So, while placing your sensitive files outside of the web root might seem like a good security measure, it doesn't really bring that much extra security.

The only way for someone to see the source code of your application is to login to the server, either via a terminal or file transfer protocol of sorts (SSH, FTP, SFTP, telnet, cPanel..).

You can additionally restrict access to certain files using .htaccess. Individual files and folders can be forbidden from being accessed, but PHP will still be able to access them (as mentioned before, it works outside of your HTTP server). You can also blacklist and whitelist certain viewers using .htaccess (based on their IP address, for example, or whether they have a specific cookie set).

A good thing to disable is folder listing, which basically means that if no index file is present in a directory, the directory contents will not be listed as a tree through the browser. In many frameworks and CMS systems, you will see that every directory contains an empty index.html file. This is done as an additional security measure in case you do not restrict folder listing (the good guys behind those frameworks/CMS systems are watching out for you).

Answer 2

Q1. I have read a post said "Upload files below web root", what is below web root?

It's here/public_html/

Q2. I have few php files are important, like connect_database.php, should I store this file in connect_datatbase.php/public_html so no one can access it. (This file is for include everytime my application need to connect to db) although php files only for server

It doesn't really matter. You shouldn't be able to read source code via http request. The only way to gain access to your connect_database.php would be getting access to ssh or ftp or something like this or such vulnerabilities as file inclusion and if such thing happens - it won't really matter where you store your config.

Q. are there any others important I need to be careful when I upload all my files to server and go public?

Don't forget your htaccess files with proper configuration like disabled folder listing, but aside from that nothing too serious can happen if you are careful with your scripts, that is keeping it clean from vulnerabilities.