Make Laravel(4) work without `public/` in the URL
There is a huge security risk involved if you don't hide your app and other directories via .htaccess. Even then the files in the root directory wil be accessible via the browser. Use this method only if you can hide all important files on the browser.
I saw a lot of tricks to modify the .htaccess
or to place the other directories outside the root and to simply point the vhost configuration of your apache web server to point to the public
directory. None of these make sense when you are developing on an ubuntu box and want to replicate a production environment.
A little bit of snooping around the code will help you competely remove public from the URL. If you have a git repository around the project, you can put this commit in a different branch and cherry-pick
it just in case you want to roll back for a future version.
The steps are simple:
Move the contents of the public directory into your application directory.
Modify the
public
value inbootstrap/paths.php
return value to'public' => __DIR__.'/../../<application-folder>',
Modify the paths in the index.php file that you just moved from the public folder to :
// require __DIR__.'/../bootstrap/autoload.php';
require __DIR__.'/bootstrap/autoload.php';
// $app = require_once __DIR__.'/../bootstrap/start.php';
$app = require_once __DIR__.'/bootstrap/start.php';
Written by Rizwan Iqbal
Related protips
4 Responses
This sounds like it could be a security risk. The whole point of having a public directory, along with keeping things organized, is that it puts all your important and "confidential" files behind the site root so that people can't go to <website_url>/app/config/database.php
and get a peek at your database information.
Yes, but you think hiding it using .htaccess
would work
As @searsaw said, this is a massive security risk waiting to be exploited.
I have my Apache VHost pointed to the /www/laravel_app/public directory which of course loads an index.php file. In this index.php file that's located in the public directory, I have a few lines...
require __DIR__.'/../bootstrap/autoload.php';
$app = require_once __DIR__.'/../bootstrap/start.php';
$app->run();
$app->shutdown();
Then, in the same public directory my .htaccess is setup as...
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Routes work as expected without the public prefix, no access to non-public parts. Could even put an .htaccess in the laravel_app root that explicitly disallows access to the app, bootstrap, and vendor directories, but this method is already secure enough.
Yeah, I have restricted access to directories but parts like composer.json
will still be accessible which is kinda embarrassing. I have reverted back to using this with public
and have updated my virtual host configuration on my production and staging server.