Modify docroot to improve security

In a standard installation with an Apache web server, Adobe Commerce and Magento Open Source is installed to the default web root: /var/www/html/magento2.

The magento2/ directory contains the following:

  • pub/
  • setup/
  • var/

The application is served from /var/www/html/magento2/pub. The rest of the file system is vulnerable because it is accessible from a browser.
Setting the webroot to the pub/ directory prevents site visitors from accessing sensitive areas of the file system from a browser.

This topic describes how to change the Apache docroot on an existing instance to serve files from the pub/ directory, which is more secure.

A note about nginx

If you are using nginx and the nginx.conf.sample file included in the installation directory, you are probably already serving files from the pub/ directory.

When used in your server block that defines your site, the nginx.conf.sample configuration overrides your server’s docroot settings to serve files from the pub/ directory. For example, see the last line in the following configuration:

# /etc/nginx/sites-available/magento

upstream fastcgi_backend {
   server  unix:/run/php/php7.4-fpm.sock;
}

server {

         listen 80;
         server_name 192.168.33.10;
         set $MAGE_ROOT /var/www/html/magento2ce;
         include /var/www/html/magento2ce/nginx.conf.sample;
}

Before you begin

To complete this tutorial, you need access to a working installation running on a LAMP stack:

  • Linux
  • Apache (2.4+)
  • MySQL (5.7+)
  • PHP (7.4)
  • Elasticsearch (7.x) or OpenSearch (1.2)
  • Adobe Commerce or Magento Open Source (2.4+)
NOTE
Refer to Prerequisites and the Installation Guide for more information.

1. Edit your server configuration

The name and location of your virtual host file depends on which version of Apache that you are running. This example shows the name and location of the virtual host file on Apache v2.4.

  1. Log in to your application server.

  2. Edit your virtual host file:

    code language-bash
    vim /etc/apache2/sites-available/000-default.conf
    
  3. Add the path to your pub/ directory to the DocumentRoot directive:

    code language-conf
    <VirtualHost *:80>
    
             ServerAdmin webmaster@localhost
             DocumentRoot /var/www/html/magento2ce/pub
    
             ErrorLog ${APACHE_LOG_DIR}/error.log
             CustomLog ${APACHE_LOG_DIR}/access.log combined
    
             <Directory "/var/www/html">
                         AllowOverride all
             </Directory>
     </VirtualHost>
    
  4. Restart Apache:

    code language-bash
    systemctl restart apache2
    

2. Update your base URL

If you appended a directory name to your server’s hostname or IP address to create the base URL when you installed the application (for example http://192.168.33.10/magento2), you need to remove it.

NOTE
Replace 192.168.33.10 with your server’s hostname.
  1. Log in to the database:

    code language-bash
    mysql -u <user> -p
    
  2. Specify the database that you created when you installed the application:

    code language-shell
    use <database-name>
    
  3. Update the base URL:

    code language-shell
    UPDATE core_config_data SET value='http://192.168.33.10' WHERE path='web/unsecure/base_url';
    

3. Update the env.php file

Append the following node to the env.php file.

'directories' => [
    'document_root_is_pub' => true
]

Refer to the env.php reference for more information.

4. Switch modes

Application modes, which include production and developer, are designed to improve security and make development easier. As the names suggest, you should switch to developer mode when extending or customizing the application and switch to production mode when running in a live environment.

Switching between modes is an important step in verifying that your server configuration is working properly. You can switch between modes using the CLI tool:

  1. Go to your installation directory.

  2. Switch to production mode.

    code language-bash
    bin/magento deploy:mode:set production
    
    code language-bash
    bin/magento cache:flush
    
  3. Refresh your browser and verify that the storefront displays properly.

  4. Switch to developer mode.

    code language-bash
    bin/magento deploy:mode:set developer
    
    code language-bash
    bin/magento cache:flush
    
  5. Refresh your browser and verify that the storefront displays properly.

5. Verify the storefront

Go to the storefront in a web browser to verify that everything is working.

  1. Open a web browser and enter your server’s hostname or IP address in the address bar. For example, http://192.168.33.10.

    The following figure shows a sample storefront page. If it displays as follows, your installation was a success!

    Storefront which verifies a successful installation

    Refer to the troubleshooting section if the page displays a 404 (Not Found) or fails to load other assets like images, CSS, and JS.

  2. Try accessing an application directory from a browser. Append the directory name to your server’s hostname or IP address in the address bar:

    If you see a 404 or the “Access denied” message, you’ve successfully restricted access to the file system.

    Access denied

recommendation-more-help
0f8e7db5-0e9c-4002-a5b8-a0088077d995