Installing Grav outside of document root

Hi there,

I want to store only the necessary files (index.php, images, css, js, media files etc.) in the document root folder which are served by http server directly and everything else (sources, configs etc.) outside of it.

Is it possible by changing only the paths of directories in index.php? It would affect the command line tools?

Thanks in advance! :slight_smile:

@dinomed, Unless symlinking or one of these scenarios is what you are after, I have no idea…

Curious about what you are trying to achieve though…

I guess this kind of practice is to protect the source code. Lots of frameworks have such approach as the default AFAIK.

I guess with Grav the whole /user folder would still have to stay in root, because it holds all the content related to each page (like attached files and images, or theme and plugin assets, etc.)

Some frameworks and Content Management Systems do, usually to protect resources because they’re otherwise exposed in an untoward manner. Grav itself (Core) has no such resources. And all source code is public already, much the same as with most frameworks and CMS’.

The “outside-root” approach really only holds value if there are protected resources available, and they should be protected by other, more robust, means in that case. If the resources exist it’s because they need to be exposed to the website, otherwise they shouldn’t be stored on the webserver. As suggested, symlinking would allow you to move these files and folders pretty much anywhere on the server.

If you just want less clutter in root, install Grav in a subdirectory.

1 Like

I think it’s a good practice to keep out unnecessary files from root, especially when configs are stored in plain text files. Maybe someone removes accidentaly the htaccess file… or removes the blocking… or something else. That way at least site site wide settings are not exposed.

Another good reason for that is that you can achieve easily multisite (subdomain) functionality with subdomains for example and you need to apply security patches/updates/upgrades to only once.

Anyway, thanks for the answers! :slight_smile: