Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Setup question about URL Rewrite rules and Security
  • Hello All,

    I'm new to FuelPHP and I hope I'm putting this in the right place. If I get a little wordy I apologize in advance.

    So I'm trying to ensure security for the initial setup of my FuelPHP projects and am still getting use to the rewrite setup. I couldn't find a very straight forward configuration other then what was mentioned in the installation document for my setup, so I thought I'd ask you guys.

    I'm using Ubuntu 12.10, php 5.4.6, oil 1.6, apache 2.2.22

    I have my Fuel projects separated from my /var/www root in a /srv/fuel/myproject location. After I perform all of my oil commands, I then recursively chown ../myproject to www-data:www-data (this is also so I can access it using AjaXplorer (v.5.0.2) to easily write code via http when I'm not at home and can't ssh into my server).

    I have a site configured in Apache that's enabled and has the following rewrite (didn't setup a .htaccess file):

            Alias /sandbox/myproject /srv/fuel/myproject/public

            <Directory /srv/fuel/myproject/public>
              RewriteEngine on

              RewriteBase /

              RewriteRule ^(/)?$ /sandbox/myproject/index.php/$1 [L]

              RewriteCond %{REQUEST_FILENAME} !-f
              RewriteCond %{REQUEST_FILENAME} !-d

              RewriteRule ^(.*)$ /sandbox/myproject/index.php/$1 [L]

    This gives me access to the project at (took me a little to figure out that the RewriteRule setting was based on the html path)

    Am I doing this right or should I be changing this to be more secure and/or more accessible to FuelPHP itself? I'm trying to get the setup part well understood so I can focus on development moving forward.

    Thank you for your direction and help.
  • Your public folder (/srv/fuel/myproject/public) should be your DocumentRoot, I can't see if that is the case in this piece of config.

    If not, your application won't be able to access it's assets, unless you rewrite all of those too.

    Everything else can be elsewhere, just ajust the paths in your index.php.
  • The initial line and alias keep the doc root at the public level (I chose not to move it up a folder):

    Alias /sandbox/myproject /srv/fuel/myproject/public
            <Directory /srv/fuel/myproject/public>

    That's part of why I asked, because I couldn't set it up exactly like it was shown in the installation doc and just wanted to make sure it's still secure. An example of a .htaccess is shown for an unrecommended setup that is stored directly in your www folder, but no example for outside of the www folder.

    Everything seems to work. This is mostly an inquiry about security, which is why I didn't make it fully accessible within my www folder (I was a little worried placing it there because of the types of files within the fuel folder).

    Just to clarify, when someone goes to, they are visiting /srv/fuel/myproject/public
  • HarroHarro
    Accepted Answer
    As long as the documentroot points to public, all your code will not be accessible from a browser. This is why the Fuel structure is setup this way.

    Once you do that, it doesn't matter where the rest is, as long as the paths in your index.php (and oil) are changed accordingly.

    We have setup everything centrally, all applications run of the same fuel code, so the vhost tree only contains app, modules and the public folder.
  • Thanks Harro. I really appreciate the confirmation.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion