Installing Laravel in a Subfolder? Hide your .env file.

Tutorials

March 4th, 2017

folder-hide-leader.png

If you are new to Laravel you might not be familiar with its directory structure and the reasons why it’s setup the way it is. If you look at the main repository it’s setup like this, and the documentation covers what each of these folders handles.

What is important here is the “public” folder. That is the ONLY directory you want to be exposed through the web. Everything else should be outside of your web root, this way people can’t access any of your important files through the browser.

As an example I found a site where they had a copy of Laravel installed on a domain like this:

1site.com/subfolder/public/

Inside the “subfolder,” they left the original Laravel structure, so all you have to do is change the URL to site.com/subfolder/.env to see a lot of important data like the database connection. Not only this but the .git files as well that can expose other sensitive data.

If you have Laravel installed in a subfolder, please check that none of the dot files or the other directories are accessible through the browser, and if they are you can hide them by moving the out of the web root, or using .htaccess on Apache, or Nginx config. The best option is to move them above the web root and here is how you can setup Laravel in that situation.

Installing Laravel in a Subfolder

To install Laravel in a subfolder let’s walk through a typical server setup to demonstrate it. Typically the path to the web root is something like this, but it can vary depending on your host:

1/var/www/html

With this path, the “html” folder is the web root, and your domain will typically point here. Now, let’s say you are building a blog and you create /var/www/html/blog. All the contents of your Laravel “public” folder would go in this folder. For example:

1/var/www/html/blog/css/
2/var/www/html/blog/js/
3/var/www/html/blog/index.php

You will then put the rest of your Laravel folders and files in another place outside of “html”, for example:

1/var/www/laravel/
2/var/www/laravel/app/
3/var/www/laravel/bootstrap/
4/var/www/laravel/.env
5/var/www/laravel/...

Then for the final steps modify your “blog/index.php” file and adjust the following two paths.

1// blog/index.php change to point to /var/www/laravel/
2
3require __DIR__.'/../bootstrap/autoload.php';
4$app = require_once __DIR__.'/../bootstrap/app.php';

This will keep everything outside your web root, make your install more secure, and prevent unauthorized access to import items.

Filed in:

Tutorials
Eric L. Barnes

Eric is the creator of Laravel News and has been covering Laravel since 2012.

Laravel News Partners

Newsletter

Join 33,000+ others and never miss out on new tips, tutorials, and more.

Laravel Jobs

The official Laravel job board connecting the best jobs with top talent.

View All Jobs
Senior Fullstack Engineer Senior Frontend Engineer (or Fullstack) Laravel/PHP Software Engineer Software Engineer (Fullstack - Vue, PHP, Laravel) Senior Laravel Full Stack Developer (Remote, USA) Software Engineer Senior Laravel Developer for exciting SaaS in Norway Senior Web Developer (Laravel / Vue.js) PHP Developer Hiring for multiple Laravel and Vue.js positions - Work with an official Laravel Partner PHP/Laravel Developer Full Stack Laravel Developer Full Stack (Senior) Engineering Team Lead Senior Full Stack Laravel/PHP Developer

Most recent