I couldn't with /public/

TodoWP

I'm trying to use Flarum but I'd better go somewhere else. That public is so tense that I don't even know how to get rid of it.

KBExit

I have my Flarum installed via Softaculous (Shared Host) and don't have much of an option to get that changed... But if you installed it manually yourself...
It is to my understanding, that you upload everything outside of the public directory and install the /public/ where you want the directory to start. So, in place of public_html in your server. I could be wrong, but that's how I comprehended that. You just have to have the server then point to that.

Jake Wilson

KBExit You move all the files out of the /public folder, and edit the files (site.php & index.php) to point to the root. If you need any more help let me know

Jake Wilson

Jake Wilson I probably should have tagged @TodoWP too...

KBExit

Jake Wilson Oh? Will this brick my Softaculous window? I mean I guess I wouldn't need it I guess. I only used it to tip toe around Composer.

KBExit

Jake Wilson I probably should have tagged @TodoWP too...

Looks like he's made this post several times now... I don't think he's going to come back to this.

Jake Wilson

KBExit It shouldn't, however I can always buy some cheap shared hosting and test it for you, if you dont wanna risk breaking your install

KBExit

Jake Wilson I appreciate that. I think it isn't aggressive as I can reverse what I do. I'm at work right now so I don't have access to try this out myself. But it definetly would clean up my url structure a lot better lol. Didn't know it would be that simple.

clarkwinkelmann

At this point we recommend using the official Zip download rather than Softaculous installer since they apparently have still not managed to fix it. The Softaculous installer is outside of the control of the Flarum Foundation.

It's not just a cosmetic thing. If you see /public in your URL, your forum is likely vulnerable to remote code execution.

KBExit

clarkwinkelmann so just to get this straight. If move everything out of /public and edit the two files @Jake Wilson mentioned, I'll be all good?

Jake Wilson

KBExit you’ll also need to edit your .htaccess or nginx.conf to enable file protection, as the public folder is designed to protect your files

KBExit

Jake Wilson I think I'm on apache? I'll have to see if cpanel has nginx.
I also noticed that there's a redirect from my domain / to /public set to permanent. Assuming Softaculous has something to do with that too

Jake Wilson

KBExit send me an email at Jake@emcado.com

KBExit

Jake Wilson sent

Jake Wilson

clarkwinkelmann that issue isn’t an issue assuming you take the proper precautions to protect your folders with htaccess, no?

KBExit

clarkwinkelmann It's not just a cosmetic thing. If you see /public in your URL, your forum is likely vulnerable to remote code execution.

On NameCheap Shared Hosting. Going off of what I am comprehending...
Could I move all the files one level up?
Example:
My Flarum is on public_html and pointed to public_html/public
Can I move everything in public_html in the directory before it and move /public to public_html ?
Then adjust the config files?
I ask this because I found your tool, MigrateToFlarum and got a score of D
your vendor folder is publicly reachable your storage folder is publicly reachable Composer files not exposed Debug mode is off

Insecure public folder
Vendor folder
Storage folder
Multiple urls

Alternatively, is there a way I can pay for someone to fix these issues on my shared host that way I'm not breaking anything or messing things up moving forward? And make sure I can use composer? I'm sorry.

Jake Wilson

KBExit check your email

clarkwinkelmann

The list of steps to remove the public folder are documented at https://docs.flarum.org/install#customizing-paths

Once done, a scan on the Lab is indeed a good idea. It'll check for any misconfiguration.

If this is a new install, the easiest is to start again with the Zip download that doesn't have the public folder.

The critical part is that it should be impossible to access or execute any file in vendor or storage. If you install with Composer those folders are expected to be out of the webroot and don't have any special protection. The htaccess and nginx files have optional protection rules that can be un-commented for those not using the public folder, but those rules only work if the files in the public folder have been moved to the root. If an HTTP redirect to /public is properly implemented and handles every request that doesn't start with /public then there should be no security risk, but that's not how the software is supposed to be installed.

KBExit

Jake Wilson I will I just cannot access it right now.

@clarkwinkelmann and @Jake Wilson
I found this video:
I should be able to just point my "document root" to /public and just be done with it right? Delete the redirect rule from Softaculous point to url.domain/public that way it'll serve Flarum via url.domain/ instead.
Maybe adjust the config to no longer reflect /public in the url settings of Flarum, and be done?

My apologies for being a complete noob. I'm more inclined to the old fashioned way of phpBB and SMF than this.

Jake Wilson

KBExit the YouTube video isn’t designed for flarum.