Home/ Questions/Q 6550033
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T12:09:59+00:00

I am on a Parallels/Plesk VPS host, and this is a really newbie question.

  • 0

I am on a Parallels/Plesk VPS host, and this is a really newbie question.

The webroot is at:

/var/www/vhosts/my-domain-name/httpdocs

There is also a path called:

/var/www/vhosts/my-domain-name/private/

But PHP scripts can’t seem to read files in there.

From my understanding any file placed within the webroot, is in danger of being served to the public if requested by its web-path/filename. I am vaguely aware of the use of .htaccess files to tell Apache not to serve certain files/dirs.

But can (or should) I place my sensitive file somewhere outside of the webroot, while still allowing it to be read by PHP scripts?

Thank you!

Here were my errors when trying to read a file within the “private” folder above:

Warning: file() [function.file]: open_basedir restriction in effect. File(../../private/test.txt) is not within the allowed path(s): (/var/www/vhosts/blah.com/httpdocs:/tmp) in /var/www/vhosts/blah.com/httpdocs/misc/testscript.php on line 8

Warning: file(../../private/test-dt.txt) [function.file]: failed to open stream: Operation not permitted in /var/www/vhosts/blah.com/httpdocs/misc/testscript.php on line 8

UPDATE: SOLVED

Picto at reddit/r/PHPHelp gave me what I needed, and it is specific to Plesk systems.
I had to write a file called vhost.conf placed in the conf folder which exists at the same level as httpdocs. And in the vhost.conf, I used:

<Directory /var/www/vhosts/my-domain-name/httpdocs>
php_admin_value open_basedir /var/www/vhosts/my-domain-name/httpdocs:/tmp:/var/www/vhosts/my-domain-name/myfolder
</Directory>

So I now place my sensitive files in “myfolder”, which is outside of the webroot (httpdocs).
After this, to make these settings take effect, (restarting Apache doesn’t work) there are some Plesk specific commands to give, see: http://www.gadberry.com/aaron/2006/02/09/plesk_vhost/

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s a good practice store sensitive data outside apache document root.

    You need to allow PHP to access these folders adding or modifying the Virtual Host configuration.

    Look for
    php_value open_basedir

    and add your folders separated by a colon (:)

    More info at open_basedir

    Note: there is a few security issues with open_basedir, explained in

    http://www.hardened-php.net/advisory_012004.42.html

    EDIT:

    I use this tree structure for each domain:

    domain/            www-data permisions
├── etc            r-x
├── log            rwx
├── phpCache       rwx
├── phpFiler       rwx
├── phpInclude     r-x
├── phpLogs        rwx
├── phpSession     rwx
├── phpTmp         rwx
├── phpTrash       rwx
├── privat         --- 
├── www443         r-x
└── www80          r-x

    etc: for application configuration files.

    log: for Apache or nginx log files

    phpCache: for Zend_Cache files

    phpFiler: for app’s files, a PHP script serves it if the user has privileges.

    phpInclude: php_value include_path

    phpLogs: for application logs

    phpSessions: for store this virtual host data sessions.

    phpTmp: for temporal files, like uploaded.

    phpTrash: a trash for phpFiler.

    privat: for my private pourposes

    www443: for https document root

    www80: for http document root

    In open_basedir clausule I put all folders except log and privat.

    • 0