Welcome Guest, Not a member yet? Register   Sign In
Keeping CI Inside the Document Root
#1

[eluser]jleequeen[/eluser]
I have a question, I suppose more about security. I know that it is better to keep your application files outside of the document root. But, for some reason, if you decided to keep your application files inside the document root, can they still be as safe?

I know each file has anti-direct access code and you can also use .htaccess files to tighten the application down even more. Is that not enough for the code to be virtually unreadable to the outside world even though it is in the doc root? (That is unless someone somehow gained access to your web server, but then you got bigger problems anyway)

I confess I'm not a web server expert, so maybe someone can give me there opinion on this. Thanks in advance.
#2

[eluser]wiredesignz[/eluser]
I'm no expert either but I use CI in the docroot with .htaccess redirects and have had no issues.
#3

[eluser]John Fuller[/eluser]
Putting CI outside the root is so easy why not do it? Put the CI files wherever you like and then just open your index.php file and change the path.
#4

[eluser]Armchair Samurai[/eluser]
[quote author="John Fuller" date="1200044742"]Putting CI outside the root is so easy why not do it? Put the CI files wherever you like and then just open your index.php file and change the path.[/quote]
You've obviously never had the <sarcasm>pleasure</sarcasm> of working with Plesk: it really messes things up on the backend which causes no amount of trouble when you move PHP scripts above the docroot, which means you're stuck there.

Of course, it would be better to store things above the docroot, but you're relatively safe with .htaccess redirects plus CI's built-in security AFAIK.
#5

[eluser]jleequeen[/eluser]
I agree it is really simple to put them wherever. I'm just curious as to whether or not it can still be secure if you wanted to dump your whole app in a folder within the doc root (if for nothing else, to keep everything together).
#6

[eluser]awpti[/eluser]
I use PLESK. Store stuff outside the docroot all the time.

Here's the fix:

vi /var/www/vhosts/domain.com/conf/vhost.conf

<Directory /var/www/vhosts/domain.com/httpdocs>
php_admin_value open_basedir none
</Directory>

(Save & Quit)

/usr/local/psa/admin/sbin/websrvmng -v -a

All done. Smile And turn safe_mode off.
#7

[eluser]thurting[/eluser]
[quote author="jleequeen" date="1200046498"]I agree it is really simple to put them wherever. I'm just curious as to whether or not it can still be secure if you wanted to dump your whole app in a folder within the doc root (if for nothing else, to keep everything together).[/quote]

It can be safe, but it will never be as safe as storing files outside of the webroot. If there is an error with PHP, there is a chance your files can be accessed as plain text. This actually happened to Facebook a while back. All in all, storing CI files on the webroot is somewhat safe, but never as safe as storing them outside of the webroot. As a best practice, you should keep them as secure as possible and above the webroot.

BTW, I have used Plesk a bunch too and have never had any problems. Here is the official technote if you encounter any errors: http://kb.swsoft.com/article_41_432_en.html
#8

[eluser]tonanbarbarian[/eluser]
Storing your CI files outside of the webroot comes into its own when you control the hosting environment. That way you can have 1 central copy of CI system files which all of the sites can use.

I actually break it up into 3 parts

I will have the system files in one central location i.e. /usr/lib/codeigniter
The I will have a location for each site in which the application files can reside.
i.e. /home/user/apps
If I have multiple CI apps they can each go in a subfolder.
And finally inside the webroot I place the index.php (or whatever I name the file) and any CSS JS etc.
This gives good seperation of code. Just as CI seperates Models from Views from Controllers, this method seperates the Core system files, from the application files, from the web files.
It basically means that for any application I know to look in the application folder for any code changes I have to make.

It is be no means necessary to do this. As long as you put the code at the top of all of your PHP files you can be sure they cannot be run independantly and there are no issue, but if you want to organise things a little neater then split them up I think
#9

[eluser]johnwbaxter[/eluser]
That sounds like a very good setup tonanbarbarian. I like that idea a lot. I've been storing the lot outside the webroot (apart from index.php of course) but i didn't think of splitting the apps out too. Good tip!
#10

[eluser]eggshape[/eluser]
I do what tonanbarbarian does for personal use; I've had some issues with deployment where I do not controll the host/server, so in those cases, I keep everything as is. I do change the app and sytem folder names no matter what...yes, I am a bit paranoid.




Theme © iAndrew 2016 - Forum software by © MyBB