Currently, our web server acts as a combined front controller, router, and dispatcher for our legacy application. The routes to the page scripts are mapped directly onto the file system, using the web server document root as a base. The web server document root, in turn, is mapped directly to the root of the legacy application.
For example, if the web server document root is /var/www/htdocs
, it currently doubles as the application root. Thus, the URL path /foo/bar.php
maps directly to /var/www/htdocs/foo/bar.php
.
This may be fine for public resources, but there are large parts of our application that we do not want to be directly accessible by outsiders. For example, directories related to configuration and setup should not be exposed to possible outside examination. An error in the web server configuration may reveal the code itself, making our passwords and other information available to malicious users.