There are certain PHP files that you want access to but don't want to make public.
Common examples of these are:
You also don't really want to deploy these on all of your sites on a server nor have them in your git repositories for sites.
A neat way of dealing with this is to use rewriting in your web server config files (e.g. Apache, NGINX, IIS etc) to do the following:
password protect these files
deny access to all but a limited set of IP addresses
point all requests to these files to a default set so they don't have to be duplicated in every site.
Blocking access to all php files other than index.php.
Note that this is specific to CMSs such as Drupal and Wordpress that pass all page requests through index.php.
Also in this example I refuse access to all TXT files other than robots.txt - This saves you having to delete them from your Drupal install as is often recommended for security - this saves you having to do that everytime you update core.
Use a default set of instrumentation files (phpinfo.php, apc.php etc
Next let's look at rewriting all requests to these standard php files to a set of default files.
Say we have site X (www.example.com)
/var/www/sitex/htdocs/ - this is your site root
and we have the default files in a folder:
/var/www/default/ - this contains phpinfo.php, apc.php etc
What we want is requests to www.example.com/phpinfo.php actually serve /var/www/default/phpinfo.php.
To do this, set up file aliases in Apache and rewrite all requests to the files to their defaults:
The rules say: If someone asks for phpinfo.php and it doesn't exist at the url they ask for it - return the default. This allows you to 'override' the rule by placing a phpinfo.php in the root of your site should you want to.
Using this technique means that any new site you have on your server will have access to these files without having to duplicate them. all over the place and they will be protected from general access.
Note: The files referred to in the aliases must exist or you will get a 500 error when you visit them.
These rules can go in .htaccess in the root of your site - but as always for performance reasons they are better placed in your vhosts / HTTPD.conf files is you have access to that.
info [at] blue-bag.com
Telephone: 0843 2894522
Blue-Bag HQ: The Garage, Manor Farm Chilcompton, Radstock Somerset, BA3 4HP, United Kingdom
Telephone: (+44) 01761 411542
Blue-Bag Brighton: Unit 35 Level 6 North, New England House New England Street, Brighton BN1 4GH United Kingdom