Secure location of PHP files used in LAMP stack

in flag

I'm setting up a LAMP stack on Ubuntu 20.04, and had this recent discussion with a colleague about the fact that it's better to not keep the PHP scripts of all of your stack (classes, API Controllers etc.) within the web directory of your server, as they're publicly available. In any case of bad configurations, the worst case scenario is that your php files could be output in plain text to the browser. Although all of this sounds a bit weird to me, some posts seem to confirm this.

So I wondered, let's say I've set my DocumentRoot in apache to www/html, and I want to load all of my php scripts into /prod_code. How can I make sure that these files can only be run if required in their specific scenario of www/html/index.php, and nothing else, and especially not publicly via the web root?

I've also started going through this documentation, but I am a little unsure about how can I find out if the php installation of my server is running as an apache module or if it's the cgi binary, hence I do not understand how I can predict the changes of options as doc_root, etc..?

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.