How to disable people from accessing www.mywebsite.com/public/index.php ?

Published 1 week ago by linesofcode

Hello,

My website is running perfectly in www.mywebsite.com, but I notice people can enter in the URL:

  • www.mywebsite.com/public
  • www.mywebsite.com/public/index.php
  • www.mywebsite.com/server.php

And all links shows my website but without CSS applied. Is there any way I can redirect users to my main URL?

Btw, I use the /public/ folder for JS, CSS & Images, like such:

  • www.mywebsite.com/public/img/somefile.png
  • www.mywebsite.com/public/js/somefile.js
  • www.mywebsite.com/public/css/somefile.css

And I want to maintain that.

This is my root .htaccess:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Remove www    
    RewriteCond %{HTTP_HOST} ^www.mywebsite.com$ [NC]
    RewriteRule ^(.*)$ https://mywebsite.com [R=301,L]

    # Remove http and force https   
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [QSA,R,L]

    RewriteCond %{REQUEST_FILENAME} -d [OR]
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^ ^ [N]

    RewriteCond %{REQUEST_URI} (\.\w+$) [NC]
    RewriteRule ^(.*)$ public/ 

    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ server.php

</IfModule>

And this is my public/.htaccess:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

Finally, I'm using a shared hosting.

Thanks.

jlrdw
jlrdw
1 week ago (252,600 XP)

Main laravel goes above htdocs. You should not need to mess around with htaccess file. Do a search right here myself and many others have answered how to properly set up laravel on shared hosting.

I know it's been answered over a hundred times.

click
click
1 week ago (78,940 XP)

@linesofcode is your website currently live somewhere? Be aware that at this moment your .env file is probably also exposed. So visiting www.yourwebsite.com/.env will probably show you (any anybody who visits that link) your database credentials and login to third party accounts like: email, file storage account (s3), logging, API keys, etc. etc.

So be aware of this.

If you run your own server (vps) you should set your document root correctly in your vhost file (to the public directory and not to the directory with all the laravel code). If you have shared hosting and do not have the ability to change this you should follow some tutorials about setting up laravel on a shared hosting as jlrdw already said. I do not have any experience with this but a google search on laravel shared hosting should give you some insight.

linesofcode

Dear @click, many other people have question me about the security issues, like the .env file as well as the .log file under the storage.

And I'm gonna tell you what I have told them: no file is available to public. I repeat: no file is available to public.

If I open the browser and type:

  • www.mywebsite.com/.env I get error 404
  • www.mywebsite.com/storage/logs/laravel.log I get error 404
  • www.mywebsite.com/config/database.php I get error 404

And keep in mind that:

  • All the files exists in my FTP
  • The .envfile has a file permission of 644

I'm using Laravel 5.7 and my folder structure is the following:

public_html/server.php
public_html/.env
public_html/*.etc files
public_html/public_html/*.etc files
public_html/config/*.etc files
public_html/app/*.etc files
public_html/*.etc folders

Thanks.

linesofcode

Solved.

By editing the file /public_html/public/index.php I can check if the current URL matches my criteria.

In my case whenever the string public is present in the URL it always have two slashes (because of the .htaccess), like:

www.mywebsite.com/public/

With that said, in the top of the file:

    if ($_SERVER['REQUEST_URI'] == '/public/')
    {
        header('location: http://' . $_SERVER['HTTP_HOST']);
        exit;
    }
Cronix
Cronix
1 week ago (794,690 XP)

That looks like it would only work if they went specifically to yoursite.com/public/, not yoursite.com/public/something-else or yoursite/public/index.php/something-else

linesofcode

@Cronix which is my goal, like I said in my topic.

Btw, I use the /public/ folder for JS, CSS & Images, like such:

  • www.mywebsite.com/public/img/somefile.png
  • www.mywebsite.com/public/js/somefile.js
  • www.mywebsite.com/public/css/somefile.css

And I want to maintain that.

D9705996
D9705996
1 week ago (127,290 XP)

@linesofcode - you are trying to fix a problem with your apache configuration with a php solution. This isn't the correct solution.

To fix this properly you need to amend you virtualhost to set the document route to the absolute path of your public folder within your laravel application.

This will resolve your issue although you will need to look at how you reference your assets as the shouldn't be prefixed with /public/. Look at the default laravel public folder structure. https://github.com/laravel/laravel/tree/master/public

Breaking away from the conventions will make your overall development with the framework more difficult.

However it's your choice but don't be surprised when things like this happen.

linesofcode

@D9705996 like I said in my post:

Finally, I'm using a shared hosting.

You can't set the document root in a shared hosting.

But, if we're gonna talk about breaking the conventions, we should then talk about the necessity of pushing to the public_html folder only the /public folder of Laravel and then create a separate folder far from public_html folder with the actual Laravel code...and to complete edit the .index.php file in order to work properly. (https://www.youtube.com/watch?v=6g8G3YQtQt4)

Doesn't seem like a good solution to me either as it goes against all the conventions of years of coding with other frameworks. The problem increases if I work with sub-folders, such as www.mywebsite.com/project_one, www.mywebsite.com/project_two.

I'm just making my point, not saying what is best or worst.

My JS, CSS, Image and other public files goes all to the /public/ folder, perfectly structured. As the name tells, they are public files, accessed by everyone.

Cronix
Cronix
1 week ago (794,690 XP)

You can't set the document root in a shared hosting.

Yes, that's why most people don't use shared hosting except for dumb simple things like wordpress. You can get your own server fully under your control for less than $10/month. They usually don't give you ssh access on shared hosting either, so automatic deployments are typically a no-go. There's a lot you give up with shared hosting, but you're welcome to stay with a hosting company that doesn't let you have full control over your box if you wish.

On shared hosting, generally you can still just copy the contents of /public into /public_html, and have the rest of laravel above public_html so it's not accessible and just make some minor adjustments to index.php and .htaccess.

public files goes all to the /public/ folder, perfectly structured. As the name tells, they are public files, accessed by everyone.

That's kind of funny that you put it like that. I'd respond with, "as the name tells, public_html are public files, accessed by everyone", too.

linesofcode

@Cronix where can I get those servers under $10/month?

That's kind of funny that you put it like that. I'd respond with, "as the name tells, public_html are public files, accessed by everyone", too.

Thats true. :D

Snapey
Snapey
1 week ago (1,040,255 XP)

you can usually host files above public_html and then rename your public folder to be public_html.

showing public in all your urls is just bad, bad, bad

D9705996
D9705996
1 week ago (127,290 XP)

@linesofcode - try some of these

https://www.techradar.com/uk/news/the-best-vps-hosting-of-2018

Starting at under $5/month. Not endorsing any particular one but a VPS is clearly available cheap nowadays

Cronix
Cronix
1 week ago (794,690 XP)
jlrdw
jlrdw
1 week ago (252,600 XP)

Op did not search I guess as there were so many prior answers to proper setup with and without shared hosting so op can do whatever op wants to do.

Almost a Pity some of those prior excellent answers wasn't viewed.

click
click
1 week ago (78,940 XP)

Please sign in or create an account to participate in this conversation.