Secure folder setup and router script

Hi there.

I am trying to setup Kirby v3 above the web root but I cannot get it to run in my local dev env (php -s with router script flag).

Here is how the folder structure looks like:

/www # → The web root
   — .htaccess
   — index.php

Inside my index.php I have the following:

# index.php

include '../kirby/bootstrap.php';
$kirby = new Kirby([
   'roots' => [
      'index'   => __DIR__,
      'content' => __DIR__ . '/../content',
      'site'    => __DIR__ . '/../site',
echo $kirby->render();

When I start it with cd /www && php -S localhost:8000 ../kirby/router.php I get errors in Kirby/router.php (assuming because the $root var doesn’t point to the correct __DIR__). If I omit the router script the server starts up but then no media is found.
Any thoughts on this?
Also: Can the /media folder also be placed outside the webroot?

please read the “public folder setup” in the docs. apart from naming the public folder www i think it should solve your problem.

a note aside: using relative paths with /../ might need a wrapping realpath(). but i do not think thats the problem here. just follow the public folder setup.

you might need to change the router php but someone else needs to comment on that because i never use that one. mamp/xampp/valet/homestead are mostly free and provide a more well rounded solution especially when debugging with xdebug.

oh and welcome to the forum. :confetti_ball:

1 Like

since i use the public folder myself exclusively i created a modified version of the plainkit which you can use as reference or clone. but its intended to be used with composer so i am not sure it fits your needs today.

Thanks @bnomei for your help. I was off the last days ust catching up with stuff. I will try out what you mentioned.

This is one of the reasons I want to rewrite the Kirby roots tbh :slight_smile:


Is your plainkit supposed to work tih php -S ?

Addednum: Just tested it with the router script, it doesn’t work :confused:

To answer this question: No, the /media folder needs to be publicly accessible.

We do not recommend or support use of the built-in server. For custom setups, I recommend you use a different development environment.