If your GLPI DocumentRoot does not point to the public folder, your data is at risk. This is the most important security configuration for GLPI in production.
Why the public folder exists
GLPI 10+ separated web files (accessible by the browser) from internal files (config, data, logic). The public folder contains only:
- index.php (main router)
- .htaccess (Apache rules)
- Static files (CSS, JS, images)
Everything else (database configuration, PHP classes, sensitive data) stays outside the webroot.
Apache
<VirtualHost *:443>
ServerName glpi.suaempresa.com
DocumentRoot /var/www/glpi/public
<Directory /var/www/glpi/public>
AllowOverride All
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/glpi.crt
SSLCertificateKeyFile /etc/ssl/private/glpi.key
</VirtualHost>Nginx
server {
listen 443 ssl http2;
server_name glpi.suaempresa.com;
root /var/www/glpi/public;
index index.php;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}Verification
After configuring, test by accessing URLs that should NOT work:
/config/config_db.php→ should return 404/src/→ should return 404/vendor/→ should return 404/install/install.php→ should return 404 (after removal)
If any of them return content, the DocumentRoot is wrong.
