Website server directory access

[Matic]

I am curious about server access. Lets say you buy a hosting service, can you manually decide which directories will be public and which will be off limits? Do public directories have to include views (templates)? Because in a lot of frameworks I see views in private directories. Can you block access via .htaccess and only allow users to browse certain pages? How do you prevent them from browsing your entire php app files?

 

I know this is a lot of question but a simple overview about directory structure in apache servers will do, since I am building one.

[requinix]

- Depends what you bought. If it's shared hosting then you have some flexibility but really not that much. Dedicated hosting means you can do whatever you want.

- Unless you have really locked-down shared hosting (less and less common these days) then you can make any directory "public" or "private".

- Public directories can contain whatever you want. They probably shouldn't have views/templates because those files are no good if executed directly. In fact they might even have some code in them that shouldn't be seen at all. Generally such directories have things like CSS and Javascript and image files instead.

- Yes, making a directory public or private is done in Apache through .htaccess (or a server-level configuration file). That's what you would use to block browsing.

[Matic]

- Depends what you bought. If it's shared hosting then you have some flexibility but really not that much. Dedicated hosting means you can do whatever you want.

- Unless you have really locked-down shared hosting (less and less common these days) then you can make any directory "public" or "private".

- Public directories can contain whatever you want. They probably shouldn't have views/templates because those files are no good if executed directly. In fact they might even have some code in them that shouldn't be seen at all. Generally such directories have things like CSS and Javascript and image files instead.

- Yes, making a directory public or private is done in Apache through .htaccess (or a server-level configuration file). That's what you would use to block browsing.

 

But the public directories must contain controllers then, or some sort of web pages to view? Because if it doesn't matter, what is stopping me from throwing everything in the private file and never worry about security?

[kicken]

But the public directories must contain controllers then, or some sort of web pages to view?

Not necessarily. You'd need at least one file, your main router, within the public directly in order to process the requests. All the rest of your controllers/includes could be within a private directory and PHP will still be able to access them. It's not uncommon to have controllers/views/etc in a directory above the document root directory so that they are not accessible via the web server at any url. Then you just have a single index.php file in the document root which all the requests get re-written to. That PHP file would then include() the other files as necessary to complete the request.

[requinix]

It's actually possible to URL rewrite to a non-public file so you could have a "public" directory with absolutely nothing inside. You'd still need it because Apache wants a directory for the website, but you could have requests for everything be sent to a file somewhere.

[Matic]

Thanks for the answers, they raise another question though. How do you make a root directory? Isn't the place you get with the server always the "root"? Or can you access diferent folders on a bought server?

[requinix]

Which "root" are you talking about? The root of the server should be irrelevant when talking about setting up a specific site. There's also the root of the website which is typically like /var/www or /home/user/public_html.

 

If you've bought the entire server then you have access to the entire server. It's yours. Do with it as you wish.