6

I'm new in Laravel 5.

I found this Laravel 5 - Remove public from URL on Stack Overflow to remove public folder from my Laravel 5 App. Only I have a question about the security.

When I am removing public from URL, then I have to change the basic folder structure of Laravel 5. Yes, it's working fine without the public from the URL.

But what's about the security of Laravel, because I am changing the default folder structure? Is it secure to use?

Community
  • 1
  • 1
CodeBriefly
  • 1,000
  • 4
  • 16
  • 29
  • 1
    You should probably explain in what way you removed public from the URL, as the link you provided doesn't make it very clear. Did you use rewrite rules? – Jeemusu Jul 15 '15 at 06:51
  • @Jeemusu, I am using that approach, one new folder that contains all laravel 5 folders and file, without public folder, And all the files of public folder set on my root folder (delete public folder). Changes in the index.php. All is done, hope its clear. Public path removed from url. – CodeBriefly Jul 15 '15 at 10:12

2 Answers2

4

You should be pointing your Apache host root to the $LARAVEL_PATH/public directory instead of $LARAVEL_PATH.

The point of having sub directory for www host root instead of project root is that you're not leaking any of your project files through your web server.

Even though all the PHP files have the file suffix .php, malicious user can access your $LARAVEL_PATH/storagedirectory and its subdirectory contents, read your composer.json or package.json to find vulnerable dependencies or read .env file etc.

If you're running on shared hosting and you have mandatory public_html, try installing Laravel outside of that public_html directory and either removing public_html (if empty) and replace it with symlink to $LARAVEL_PATH/public OR if you want the Laravel instance to be subdirectory ofpublic_html, do the same but create symlink from$LARAVEL_PATH/publictopublic_html/$PROJECT_SUBDIR`.

That public directory is there for reason to make project a bit more secure. Solve the actual problem and don't try to break this simple but nice security addition. :)

trm42
  • 2,536
  • 2
  • 19
  • 16
  • Thanks @trm42 for your valuable ans. Only one issue, My host contains more then 2 Laravel sites then how to manage same folder outside of public_html. – CodeBriefly Mar 30 '16 at 11:12
  • 1
    Imaginary directory structure: /home/user | /site1 | /site2 | /public_html Then, create symlinks from site1/public -> public_html/site1 and Then, create symlinks from site2/public -> public_html/site2 or symlink site1/public -> public_html and symlink site2/public site1/public/site2 Ugly compared to using Apache VHOSTs but should work. Sorry, formatting here is horrible:/ – trm42 Mar 30 '16 at 11:18
  • 1
    Thanks for your reply, VHOST is possible on shared host. and i think your answer need an upvote. – CodeBriefly Mar 30 '16 at 12:25
  • Also, if you want different Laravel instances within the same VHOST in different paths, you can use Alias and Directory configurations within the VHOST configuration, see: http://stackoverflow.com/questions/6307047/different-folder-as-website-subfolder – trm42 Mar 31 '16 at 07:31
  • Symlinks from site1/public into public_html/site1 didn't work for me. But going from public_html/site1 ot the laravel project area site1/public did work a treat! Basically '..' in the PHP paths worked properly. – anthony May 28 '19 at 11:08
-1

you this link you provided is not about changing the actual file structure of the framework, this example uses mod_rewrite to rewrite the url of your application. In other words you are telling your server that you would like to point to that directory without the full path is visible to the end user.

Also take a look on the below answers of the link you've provided.

Rename the server.php in the your Laravel root folder to index.php and copy the .htaccess file from /public directory to your Laravel root folder. -- Thats it !! :)

Harry Geo
  • 1,163
  • 3
  • 10
  • 24
  • Hi harry, i am trying .htaccess but no luck. Then I am using that approach, one new folder that contains all laravel 5 folders and file, without public folder, And all the files of public folder set on my root folder (delete public folder). Changes in the index.php. All is done, hope its clear. Public path removed from url. – CodeBriefly Jul 15 '15 at 10:15
  • 1
    Please take a look here also: http://tutsnare.com/remove-public-from-url-laravel/ . And please try to write your comments more clear, the structure of your sentence confuses me. Thank you, report back on how it went :) – Harry Geo Jul 15 '15 at 13:13
  • Harry thanks, but my question is about the security after these changes done. Is it secure to use. – CodeBriefly Jul 15 '15 at 15:52
  • 1
    Security is a relative thing, a system cannot be a 100% secure, there is always a backdoor , a hack if you like to get past securities. It really depends on you have set up you server configuration. For example try to disable file indexing on your server, make certain parts of your application only available to users with admin accounts, make your `.env` files unreadable,check your php scripts for possible vulnerabilities etc... Security is a complex thing and there are a lot to consider . Here is an article on how to secure [apache](http://goo.gl/39mupH) for example – Harry Geo Jul 16 '15 at 08:11
  • **DO NOT**, just rename server.php to index.php in the larvel root folder, then cp .htaccess from public dir to there. This will remove "public" from the path, BUT it will NOT protect you securely. Try accessing the ".env" file, you can still do it. IT is NOT a good solution! – anthony May 28 '19 at 10:16
  • Hi anthony do you mean you store your `.env` file on your production environment? Even if that's the case this file should be encrypted with a `sekrets.key` file or equivalent. – Harry Geo May 28 '19 at 10:23