I am just launching a Kirby site on our Runcloud hosting - The hosting is setup on a NGINX/Apache2 Hybrid stack (Allows .htaccess to be used).
My Kirby panel warns me my content folder is exposed even though I have all the default Kirby .htaccess settings including RewriteRule ^content/(.*) index.php [L]
Its because everythings in the web root, ie the public or www or whatever your host has called it. If your host allows you to you, you can place those folders outside of the public area which increases security.
How does this look like and where does it come from? I have Apache with a standard Kirby setup and never see such warning. Knowing the source where this warning is triggered might help finding the reason.
Maybe you need to dive deeper into the settings of your provider. Citing their docs:
By using this stack, your static files (eg: css,js,images,fonts) will be served by NGINX. If it is PHP, NGINX will pass it to Apache2 and the request will be passed to PHP-FPM.
For me, this means that requests for static files will not be served by Apache and thus no evaluation of its .htaccess rules. The rules therein will only be taken into account if .php files are requested. However, the sense of Kirby’s .htaccess file is to redirect all requests pertaining to any file in the site, kirby or content folder to the main index.php which serves as a dispatcher.
I think i’m having the same issue on one of our servers. The htaccess Rewrite seem to be ignored. Everything works fine on a development server but not on the production system. The difference i found is some setting in PLESK which seems to be for performance reasons only. When i switch it on in the DEV-server i get the same warning in the panel (content folder not safe).
i’m talking about the third checkbox (static files handled by nginx)
I don’t have access to the nginx config myself, but asked the hosting colleagues to see this guide and try out some things.
We need to run kirby in a subfolder /kirby/ for the time being (this will later be the docroot), so i guess there need to be made some adjustments to the nginx config example but i am not familiar with the nginx syntax. Does someone have any hints? Atm all tests result in a “not found” error when trying to access /kirby/
My next idea is to try and switch off the checkbox on the production server and see what difference it makes to the performance, if any. Have to find a good way to test that. Any hints appreciated.