Move config.php out of Web Root
Forum rules
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Re: Move config.php out of Web Root
Yes I know, which is why saying that your config.php would be served as plaintext if php stopped working isn't right.
Re: Move config.php out of Web Root
You do realise .htaccess files do not work on all web servers, and I have been known to forget to deny access to it in the main web server configuration. I just find this way easier, and it keeps all my configuration files in /etc where they belong.dowelld wrote:Ummm no I think not.ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:Code: Select all
<?php include '/etc/phpbb/site.example.com.php';
That entry in .htaccess should stop it from being served at all.<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
Re: Move config.php out of Web Root
They do on all mine, I make a point of it. Although I accept what you're saying about it not being universally supported.ToonArmy wrote: You do realise .htaccess files do not work on all web servers, and I have been known to forget to deny access to it in the main web server configuration. I just find this way easier, and it keeps all my configuration files in /etc where they belong.
The second and third reasons are much better reasons to my thinking, doing what's easiest for you is always best, and keeping config file in one place is another very good reason, especially because it makes backing up the service configuration a whole lot easier.
Re: Move config.php out of Web Root
They are only support by Apache, not Lighttpd, nginx, thttpd, IIS, etc.dowelld wrote:They do on all mine, I make a point of it. Although I accept what you're saying about it not being universally supported.
Worth noting, having the configuration file outside of the web root on the phpBB.com server would not have saved us.
-
- Registered User
- Posts: 15
- Joined: Thu Feb 05, 2009 7:39 pm
Re: Move config.php out of Web Root
My question is based only on my own common practices... just like filtering and escaping. phpBB is as secure as it needs to be in my mind--threats are mitigated, never eliminated. You have my sympathy regarding the unrelated hack of your website. As a new user of phpBB, I to am frustrated by the disruption as well.ToonArmy wrote:Worth noting, having the configuration file outside of the web root on the phpBB.com server would not have saved us.