23

I am using Laravel for web app. Uploaded everything on production and found out that some of the files can be directly accessed by url - for example http://example.com/composer.json

How to avoid that direct access?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Yasen Ivanov
  • 973
  • 2
  • 8
  • 22

9 Answers9

33

You're using wrong web server configuration. Point your web server to a public directory and restart it.

For Apache you can use these directives:

DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">

For nginx, you should change this line:

root /path_to_laravel_project/public;

After doing that, all Laravel files will not be accessible from browser anymore.

Alexey Mezenin
  • 158,981
  • 26
  • 290
  • 279
2

That is incorrect. composer.json sits outside of the public directory and therefore should not be accessible. This means that your VirtualHost configuration is incorrect.

Please make sure that your path to your directory ends with /public.

Ohgodwhy
  • 49,779
  • 11
  • 80
  • 110
  • I think that's because I've renamed server.php to index.php and added .htaccess file to the root directory. So is it wrong to remove public.index.php from URL in that way? – Yasen Ivanov May 29 '16 at 07:29
  • 1
    You shouldn't do any changes. `index.php` and `.htaccess` should be in a `public` directory only and shouldn't be modified. – Alexey Mezenin May 29 '16 at 07:57
2

Point your web server to a public directory and restart it.

For Apache you can use these directives:

DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">

Also You Can Deny files in .htaccess too.

<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>

for multiple files you can add above files tag multiple times in .htaccess files.

Abhijeet Navgire
  • 683
  • 7
  • 20
1

Point the web server to the public directory in the project's root folder

project root folder/public

but if you don't have the public folder and you are already pointing to the root folder, you can deny access by writing the following code in .htaccess file.

<Files ".env">
Order Allow,Deny
Deny from all
Allow from 127.0.0.1
</Files>

in the above code, first we are denying from all and allowing only from the own server (localhost to the server) to get executed, and hence we can protect it from outside users.

Reiah Paul Sam
  • 555
  • 6
  • 16
0

Set Your document root as public directory, so other files will not be accessible directly. Look for it in Your apache/nginx/??? configuration files.

Giedrius Kiršys
  • 5,154
  • 2
  • 20
  • 28
  • I am using Apache. Ok, but I don't want this public folder to appear in my URL. If I set my document root to public, I am bound to use /public to my url's.. – Yasen Ivanov May 29 '16 at 07:47
  • @YasenIvanov I don't understand what your complaint is at all. Surely at the moment you have to use `/public/` at the start of your URLs? If you set your document root to the public directory then you **won't**. Why do you want to have `/public/` at the start of all your URLs? – Chris May 29 '16 at 08:51
  • I don't want to have /public/ to my URLs - that's what I've said. If I set my document root to public directory it just doesn't allow me to get acces like this - http://domain.com - it says "Forbidden". If I type it http://domain.com/public I have access. The question is how to remove this /public/ from my URL's ? – Yasen Ivanov May 29 '16 at 09:05
  • @YasenIvanov I think, that You understood me and Chris wrong. When You set document root to `public` path, it will be Your root directory for web server, so no more `/public/` in URL. – Giedrius Kiršys May 29 '16 at 09:08
0

It depends on the webserver your running. With Apache it would be .htaccess files whereas with Nginx it would be handled in the server configuration file.

farmio
  • 8,883
  • 3
  • 13
  • 17
0

You Can Deny files in .htaccess too.

<Files "composer.json">
Order Allow,Deny
Deny from all
</Files>
Crysis
  • 418
  • 2
  • 7
  • 28
0

With Apache, you can create .htaccess file in the root directory of Laravel project to rewrite all requests to public/ directory.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ public/$1 [L]
</IfModule>
Amr El-Naggar
  • 446
  • 3
  • 6
-2

simply create blank

index.php

file in config directory , and write message in file as you like to inform acccessor user

ex. access forbindon by server

Ravindra Bhanderi
  • 2,478
  • 4
  • 17
  • 29
  • This would not deny access to composer.json. It just hides the directory listing. To disable directory listing, add `Options -Indexes` to the .htaccess file. – Edd Mar 08 '21 at 09:36