Gordon inspired this post via this Twit, so here’s something that I think it’s worth trying.
I prefer isolating the static files (frontend) from the back-end code straight from the begining, by placing everything which is static (images, CSS and JS files) inside the DocumentRoot of the website (e.g. /home/jeromakay/public_html/), while the code stays in /home/jeromakay/.
Think of the “application files” as they would be the server’s utilities, and they can be anywhere outside the DocumentRoot (e.g. calling imagemagick via /usr/local/bin/convert rather than having it installed in /home/jeromakay/public_html/).
This practice makes your code a bit more safer, but it requires a bit more complex directory structure for your site. If you’re designing your app from scratch, it’s cool: you can design it so only the index.html file is in the public folder along with the static files, however, if the app is already written, it’s worth trying to adapt it.
As I said, the real benefit, it’s being more safe – here’s an example: Yahoo search service blog’s wp-config.php . It can be publicly accessed by anyone. If this would have been “under” the DocumentRoot, nobody could have ever accessed it. No big threat though…
Of course, Wordpress’ wp-config.php file doesn’t reveal any info because it was designed not to output anything, but if the file’s was an .inc or an XML containig API auth passwords, it may be worthy hiding it under the DocumentRoot. This is because you never know if Apache will execute public files, or serve them for download.
As you can see in the scheme attached to this post, the static files are publicly available, including the index.html file and the functionality code stays somewhere else under the public folder. To make things work with this structure, you need to assign paths correctly inside your code’s configuration files.
Assuming you have a bit of understanding on how paths work, you will find this implementation trivial. Just keep in mind that best way to do it is to keep static files in the web server’s DocumentRoot, while the functionality code, stays hidden on the server’s disk drive so it has nothing to do with the outside world.
Not only this keeps things safe, but you also are now worry-free when organizing and slipping helpful files into your code which could have been downloaded if they were publicly available.
Here’s some other links that are related to this discussion:
- cakePHP’s file structure (similar to our talk I assume)
- installing application files in WebSphere Application server 3.5.x
- installing web app on gentoo
Have fun!
Vladimir
