Move config.php out of Web Root

Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Forum rules
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: Move config.php out of Web Root

Post by dowelld »

Yes I know, which is why saying that your config.php would be served as plaintext if php stopped working isn't right.
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: Move config.php out of Web Root

Post by ToonArmy »

dowelld wrote:
ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:

Code: Select all

<?php
include '/etc/phpbb/site.example.com.php'; 
Ummm no I think not.
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
That entry in .htaccess should stop it from being served at all.
You do realise .htaccess files do not work on all web servers, and I have been known to forget to deny access to it in the main web server configuration. I just find this way easier, and it keeps all my configuration files in /etc where they belong.
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: Move config.php out of Web Root

Post by dowelld »

ToonArmy wrote: You do realise .htaccess files do not work on all web servers, and I have been known to forget to deny access to it in the main web server configuration. I just find this way easier, and it keeps all my configuration files in /etc where they belong.
They do on all mine, I make a point of it. Although I accept what you're saying about it not being universally supported.

The second and third reasons are much better reasons to my thinking, doing what's easiest for you is always best, and keeping config file in one place is another very good reason, especially because it makes backing up the service configuration a whole lot easier.
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: Move config.php out of Web Root

Post by ToonArmy »

dowelld wrote:They do on all mine, I make a point of it. Although I accept what you're saying about it not being universally supported.
They are only support by Apache, not Lighttpd, nginx, thttpd, IIS, etc.

Worth noting, having the configuration file outside of the web root on the phpBB.com server would not have saved us. ;)
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
FoolishNoob
Registered User
Posts: 15
Joined: Thu Feb 05, 2009 7:39 pm

Re: Move config.php out of Web Root

Post by FoolishNoob »

ToonArmy wrote:Worth noting, having the configuration file outside of the web root on the phpBB.com server would not have saved us. ;)
My question is based only on my own common practices... just like filtering and escaping. phpBB is as secure as it needs to be in my mind--threats are mitigated, never eliminated. You have my sympathy regarding the unrelated hack of your website. As a new user of phpBB, I to am frustrated by the disruption as well.
Locked