What if one cannot set vhost in server config, and can only use htaccess settings?

I don't think moving the file structure is a good idea, and hence I have a different way. Just follow these steps in an Apache server and it will work pretty good.

  1. Write a .htaccess file in /forum/ to redirect all the requests from /forum/ to /forum/public/

    Options +FollowSymLinks
RewriteEngine On
RewriteRule ^(.*)$ public/$1 [QSA,L]

  2. Edit config.php file and change the url key value. The changed line should look like this:

    'url' => 'https://mydomain.com/forum',

And now it should work pretty good. This is working for me and there is no need to move any files, which will complicate the update process in future if a new release of Flarum happened.

    After seeing a few of /public related posts I'm wondering if people get why we're doing this in the first place (no offense, we might genuinely need a better explanation in the docs)

    Multiple people seem to have installed Flarum "the old way" and actually kept /public in the url, which completely defeats the purpose.

    The thing to remember is that you don't want storage, vendor, flarum, config.php, composer.json and composer.lock be served publicly. ever. That's because they are sensitive files. config.php and storage because they contain sensitive data, vendor and flarum because they can expose untrusted code that anyone will be able to run and composer.* because they contain advanced information on your setup.

    Now there are two choices. Either you don't place these folders under the webroot (where everything will be served by the web server), or you place them there but you make extra sure to tell the web server to never return them.

    Which itself leads to 3 placement options in my opinion:

    Dedicated folder, own webroot (recommended)

    That's kind of the new standard, in particular for modern web applications like Laravel. You install Flarum in a folder wherever you want, but not under the webroot.

    For example place Flarum in /home/ubuntu/flarum.

    Then in the web server config, add a virtualhost (for own hostname) or alias (for subfolder), pointing the webroot to /home/ubuntu/flarum/public.

    This means all files in /home/ubuntu/flarum but out of /public will never be served by the web server, keeping you safe.

    Common webroot, protected folders (old school)

    That would be the "old school" way or doing things, and it might be the only solution on hostings that don't allow you to customize the web root. Most hostings do allow it (maybe not for subfolders though) and you should use the recommended option if you can.

    With this solution you place all files somewhere under the webroot (typically public_html) and restrict access to the dangerous files with configuration via htaccess for Apache or the server config for Nginx.

    Additionally you can move index.php out of the public folder to remove that useless public directory.

    This is the solution explained at https://flarum.org/docs/install.html#customizing-paths

    Common webroot, remote folders (uncommon but great)

    One last option that's not really explained in Flarum Docs but that is totally possible is to apply the concept of the recommended method with the setup of the second case.

    In the skeleton, the sensitive files are placed one level above (out of public), but they can be anywhere on the filesystem.

    You can place the content of public in your existing webroot or subdirectory and the other files in a directory outside of the webroot. For example if your website is at /var/www/my-website/public_html, you can often place files at var/www/my-website/flarum and they won't be served under the webroot.

    Then use the "Customizing paths" instructions to change the paths in index.php to point to that folder out of the webroot. You can use relative paths ('storage' => __DIR__.'/../../flarum/storage',) or absolute paths to achieve it ('storage' => '/var/www/my-website/flarum/storage',). Don't forget to also update require '../vendor/autoload.php'; to also point to the place where the vendor folder now is.

    I have not tested this option but it seems perfectly possible. It wasn't possible in beta 7 but in beta 8 with custom paths it should work as well as just removing the public folder.

    In the end it's all about making sure these sensitive files don't get exposed. You're free to play around with the placement of the files, and beta 8 now gives you a lot of flexibility in that regard.

    I want to take the opportunity to remind you that the Flarum Lab (which I run) will check that you are not exposing those files. It's a quick way to know if you correctly followed either installation method.

    I'll need to add a case to check for those who actually kept that public folder right in the url, because currently the Lab won't try accessing the sensitive files one level up.

      5 days later
      a month later

      clarkwinkelmann Common webroot, remote folders (uncommon but great)

      One last option that's not really explained in Flarum Docs but that is totally possible is to apply the concept of the recommended method with the setup of the second case.

      In the skeleton, the sensitive files are placed one level above (out of public), but they can be anywhere on the filesystem.

      You can place the content of public in your existing webroot or subdirectory and the other files in a directory outside of the webroot. For example if your website is at /var/www/my-website/public_html, you can often place files at var/www/my-website/flarum and they won't be served under the webroot.

      I can confirm that this option works. Maybe one day these instructions could be added to the Flarum Docs. I'm sure many people will need to set their Flarum up this way due to their hosting environment.

        I can understand all the arguments but I was a newbie and using various forum and content softwares since long time ago, thus I know how this is unusual and quite hard for them.

        There are also other ways to protect the sensitive files and folders, so I am sure the decision for current structure may be revisited in the future especially once the developers has settled down making flarum a stable forum software.

        I greatly prefer the current method of public folders like what Laravel uses, it's easy to set up and is just a matter of setting the web root to the correct place. The Old school method is insecure can requires a massive amount of configuration on the web server side to protect sensitive files. And the remote way does work but it seems like theirs more setup than what should really be required. Flarum should be in my opinion a download and run program, which in its current Beta 8 form is exactly what it is.

          tankerkiller125 my thoughts as well. Pretty much any modern Laravel application serves from the /public directory, and it's honestly quite simple to set up.

            a year later

            clarkwinkelmann Then use the "Customizing paths" instructions to change the paths in index.php to point to that folder out of the webroot. You can use relative paths ('storage' => DIR.'/../../flarum/storage',) or absolute paths to achieve it ('storage' => '/var/www/my-website/flarum/storage',). Don't forget to also update require '../vendor/autoload.php'; to also point to the place where the vendor folder now is.

            I have not tested this option but it seems perfectly possible. It wasn't possible in beta 7 but in beta 8 with custom paths it should work as well as just removing the public folder.

            @clarkwinkelmann
            What do you mean when saying Don't forget to also update require '../vendor/autoload.php'? could you be more specific on this, I mean to both index.php and forum, what exact code should I add to? and where in the file should I add to?

            I just got stuck here, after adding this snippet to index.php
            require 'flarum/vendor/autoload.php';
            'base' => __DIR__,
            'public' => __DIR__,
            'storage' => __DIR__.'/flarum/storage',

            I got a warning that
            Parse error: syntax error, unexpected '=>' (T_DOUBLE_ARROW) in /home/customer/www/domain.com/public_html/index.php on line 29

            and line 29 is just this script: 'base' => __DIR__,

            should I changed something?

            Thank you!

                Kurtis I think you may have interpreted the instructions too literally. You should change the paths in the file to match those, not add those lines at the end of the file.

                Basically each file references 4 paths: the Composer autoload file, the base path, the public path and the storage path. Just updates those 4 paths according to how you arranged your forum.

                I don't recommend using that method if you are not familiar enough with your filesystem, relative paths and PHP files. Use either the default or the "customizing paths" instructions from the documentation.

                    clarkwinkelmann

                    Thank you very much for replying me.

                    Actually, I read most of the posts about this publicfolder questions, but still don't understand it. I am really eager to use flarum, so I want to figure it out.

                    Yes, I am a coding beginner, that's why I think it in a literal way.

                    As I asked for help in another thread,
                    https://discuss.flarum.org/d/17795-help-with-public-paths/10
                    https://discuss.flarum.org/d/17795-help-with-public-paths/12

                    I already updated those 4 paths according to how I arranged my forum.

                    For

                    1. The base path (I don't understand)
                    2. The public path (I don't understand)
                    3. Composer autoload file path (I understand)
                    4. The storage path (I understand)

                    I can understand 3 and 4, as/vendor/autoload.php is always under vendor folder, and storage folder is always stay under flarumfolder, as showed below.

                    server
├── public_html
│   └── index.php
└── flarum
    ├── storage
    ├── vendor
    └── flarum (executable)

                    The problem is I don't understand 1 and 2, here are main questions get me stuck.

                    1. What does base stands for? What should I change 'base' => __DIR__, to? And should put it in both index.php and forum? Does it matter if I put it just at the end of each file?

                    2. For public path, since I already moved all folders and files out of publicfolder to /domain.com/public_html folder, and deleted the empty publicfolder, does this code script 'public' => __DIR__, stil matters, should I changed it to be 'public' => '/home/customer/www/domain.com/public_html',

                    I feel frustrated on this issue, I’ve been spent 2 days trying to solve it, it seems it should not be that difficult, but it made me go banana, I couldn't find a detailed solution on the web, and here on flarum official community, it is my only chance.

                    Let's take it further, the involved filed need to be changed accordingly might be:

                    - index.php
- flarum
- .htaccess
- site.php
- config.php

                    we just discussed index.php and flarum

                    Thank you again for guiding me.

                        Kurtis 1. base folder is the one that contains config.php, flarum(executable) and composer.json. In your case it's the folder named flarum. 2. Public folder is the one that contains index.php and assets. In your case, it's public_html.

                        There has been a change in Flarum beta 12. Now on new installations there's a site.php which is used so that base, public and storage can be defined in a single place instead of having to edit two files. Now the vendor path and site.php path are the only paths you need to edit in two places. All other paths can be edited in site.php only. site.php can be placed anywhere, but I would recommend placing it in the base folder.

                            clarkwinkelmann

                            Hi Clark, I am so happy to receive your reply, your explanation is very clear, and I finally solved this problem, and now I can visit my site from https://domain.com/

                            The solution is quite simple:

                            I only edited site.php file

                            original script:

                            return Flarum\Foundation\Site::fromPaths([
 'base' => __DIR__,
'public' => __DIR__,
'storage' => __DIR__.'/storage',
]);

                            modified script:

                            return Flarum\Foundation\Site::fromPaths([
    'base' => '/home/customer/www/domain.com/flarum',
    'public' => '/home/customer/www/domain.com/public_html',
    'storage' => '/home/customer/www/domain.com/flarum/storage',
]);

                            but still there is a little problem, when I visit https://domain.com, it will soon redirect to https://domain.com//, yes, with two // at the end, do you know what might cause this?

                            Clark, I appreciate a lot for your help!

                            I think I might open a new thread and write a step-by-step tutorial to tell everybody about solving this problem, it is very simple.

                                Glad to hear it works!

                                Kurtis it will soon redirect to https://domain.com//,

                                Check the url in config.php is correct.

                                Flarum usually doesn't perform any redirect by default, so it might be due to some additional configuration you made in the .htaccess for example.

                                    clarkwinkelmann

                                    Awesome! Yes, it is because I edited the config.php before, make 'url' => 'http://domain.com/public', into 'url' => 'http://domain.com/', and now I make it into 'url' => 'http://domain.com', without a / at the end, then everything is fine, now it is http://domain.com

                                    I am going to open a new thread as tutorial to this issue and mentioned our current thread, so that new user won't waste so much time as I did.

                                    Thank you Clark! Very appreciated!

                                      3 months later

                                      Help, I don't understand how to show my forum in /forum/ folder only, and not in /forum/public 🙁

                                      I have installed from composer Flarum files in /forum/ folder.. and here ok.

                                      Now, if I don't change settings, I go to mysite.com/forum/ and browser goes to mysite.com/forum/public.
                                      I want hide public word.

                                      I have tried:

                                      htaccess:

                                        # Uncomment the following lines if you are not using a `public` directory
  # to prevent sensitive resources from being exposed.
  RewriteRule /\.git / [F,L]
  RewriteRule ^auth\.json$ / [F,L]
  RewriteRule ^composer\.(lock|json)$ / [F,L]
  RewriteRule ^config.php$ / [F,L]
  RewriteRule ^flarum$ / [F,L]
  RewriteRule ^storage/(.*)?$ / [F,L]
  # RewriteRule ^vendor/(.*)?$ / [F,L]

                                      index.php:

                                      $site = require '../forum/site.php';

                                      site.php:

                                      return Flarum\Foundation\Site::fromPaths([
    'base' => __DIR__.'/forum',
    'public' => __DIR__,
    'storage' => __DIR__.'/forum/storage',
]);

                                      But I have this result (mysite.com/forum), if I click on "public/" I have 500 error: