=======================================
PHP BASIC OPEN_BASEDIR CONCEPT
=======================================

Files and media can be protected by storing them outside of the document root so
that there is no direct access to them. A script could then be used to validate a
request and decide to serve it or not.

We can extend this feature and move ALL files outside of the htdocs directory.
The htdocs directory would be keep to a bare minimum.

  /path/to/site/
            |
            |_ htdocs/
            |   |_ .htaccess
            |   |_ index.php
            |
            |_ base/
                |_ about.php
                |_ error.php
                |_ index.php
                |_ test.php
                |
                |_ public/
                |   |
                |   |_ css/
                |   |   |_ bootstrap.min.css
                |   |   |_ site.min.css
                |   |
                |   |_ js/
                |   |   |_ bootstrap.min.js
                |   |   |_ jquery.min.js
                |   |   |_ site.min.js
                |   |
                |   |_images/
                |       |_batman.jpg
                |
                |_ private/
                    |
                    |_ images/
                        |_ batman.jpg


All urls will have no suffixes to hide the language that is used and all urls
with get vars will be simplified. For example these pretty urls would be valid

  https://www.site.foo
  https://www.site.foo/
  https://www.site.foo/file
  https://www.site.foo/file/var0/var1/var2/var3

and these urls would generate error 404

  https://www.site.foo/index
  https://www.site.foo/index.php
  https://www.site.foo/file.php

This example uses jquery and bootstrap to demonstrate how files can be installed
and served up from outside of the document root.

  https://code.jquery.com/jquery-3.7.0.min.js
  https://github.com/twbs/bootstrap/releases/download/v4.6.2/bootstrap-4.6.2-dist.zip


=======================================
apache www.site.foo.conf
---------------------------------------

Add open_basedir directive to the apache site configuration .conf file.

  DocumentRoot "/path/to/site/htdocs"

  <Directory "/path/to/site/htdocs">
    Options -Indexes
  </Directory>

  <IfModule php_module>
    php_admin_value open_basedir "/path/to/site/"
  </IfModule>


=======================================
.htaccess
---------------------------------------

RewriteEngine on

# custom error page
ErrorDocument 400 /error
ErrorDocument 401 /error
ErrorDocument 403 /error
ErrorDocument 404 /error
ErrorDocument 405 /error
ErrorDocument 406 /error
ErrorDocument 407 /error
ErrorDocument 408 /error
ErrorDocument 409 /error
ErrorDocument 410 /error
ErrorDocument 411 /error
ErrorDocument 412 /error
ErrorDocument 413 /error
ErrorDocument 414 /error
ErrorDocument 415 /error
ErrorDocument 416 /error
ErrorDocument 417 /error
ErrorDocument 421 /error
ErrorDocument 422 /error
ErrorDocument 423 /error
ErrorDocument 424 /error
ErrorDocument 426 /error
ErrorDocument 429 /error
ErrorDocument 431 /error
ErrorDocument 451 /error
ErrorDocument 500 /error
ErrorDocument 501 /error
ErrorDocument 502 /error
ErrorDocument 503 /error
ErrorDocument 504 /error
ErrorDocument 505 /error
ErrorDocument 506 /error
ErrorDocument 507 /error
ErrorDocument 508 /error
ErrorDocument 510 /error
ErrorDocument 511 /error

# pass everything to index.php
RewriteRule ^/*$                                                                index.php?uri=%{REQUEST_URI} [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/*$                                                  index.php?uri=%{REQUEST_URI}&file=$1 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/*$                                          index.php?uri=%{REQUEST_URI}&file=$1&v0=$2 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/([^/]+)/*$                                  index.php?uri=%{REQUEST_URI}&file=$1&v0=$2&v1=$3 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/([^/]+)/([^/]+)/*$                          index.php?uri=%{REQUEST_URI}&file=$1&v0=$2&v1=$3&v2=$4 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/*$                  index.php?uri=%{REQUEST_URI}&file=$1&v0=$2&v1=$3&v2=$4&v3=$5 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/*$          index.php?uri=%{REQUEST_URI}&file=$1&v0=$2&v1=$3&v2=$4&v3=$5&v4=$6 [NC,END]
RewriteRule ^([a-zA-Z0-9]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/([^/]+)/*$  index.php?uri=%{REQUEST_URI}&file=$1&v0=$2&v1=$3&v2=$4&v3=$5&v4=$6&v5=$7 [NC,END]


=======================================
/path/to/site/htdocs/index.php
---------------------------------------

<?php
define('BASE', '../base');

if($_SERVER['REQUEST_URI'] == '/') {
  $file = BASE.'/index.php';
  unset($_GET, $_POST);
} elseif($_SERVER['REQUEST_URI'] == '/index' || $_SERVER['REQUEST_URI'] == '/index.php') {
  unset($_GET, $_POST);
} else {
  function filter(array &$array) {
    array_walk_recursive($array, function(&$value) {
      $value = filter_var(trim($value), FILTER_SANITIZE_STRING);
    });
    return $array;
  }
  if(isset($_GET) && !empty($_GET)) {
    $_GET = filter($_GET);
    if(isset($_GET['file']) && !empty($_GET['file']) && count(explode('/', $_GET['file'])) == 1 && count(explode('.', $_GET['file'])) == 1) {
      $file_test = preg_replace('/[^0-9a-zA-Z]/', '', $_GET['file']);
      if($file_test == 'public') {
        $file = BASE.'/public.php';
      } elseif($file_test == 'private') {
        $file = BASE.'/private.php';
      } elseif($file_test != 'index') {
        $file = BASE.'/'.$file_test.'.php';
      }
    }
  } elseif(isset($_POST) && !empty($_POST)) {
    $_POST = filter($_POST);
    if(isset($_POST['file']) && !empty($_POST['file']) && count(explode('/', $_POST['file'])) == 1 && count(explode('.', $_POST['file'])) == 1) {
      $file_test = preg_replace('/[^0-9a-zA-Z]/', '', $_POST['file']);
      if($file_test != 'index') {
        $file = BASE.'/'.$file_test.'.php';
      }
    }
  }
}

if(!isset($file) || empty($file) || !is_file($file)) {
  $_SERVER['REDIRECT_STATUS'] = 404;
  $file = BASE.'/error.php';
}

require_once($file);
?>


=======================================
/path/to/site/base/inc_ini.php
---------------------------------------

<?php define('INCLUDE', true); ?>


=======================================
/path/to/site/base/inc_inc.php
---------------------------------------

<?php
if(count(get_included_files()) == 1 || !defined('INCLUDE')) {
  $_SERVER['REDIRECT_STATUS'] = 404;
  require_once('error.php');
  exit();
}
?>


=======================================
/path/to/site/base/inc_nav.php
---------------------------------------

<?php require_once('inc_inc.php'); ?>
    <nav class="navbar navbar-expand-sm navbar-dark bg-dark">
      <a class="navbar-brand" href="/">concepts</a>
      <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarmenu">
        <span class="navbar-toggler-icon"></span>
      </button>
      <div class="collapse navbar-collapse" id="navbarmenu">
        <ul class="navbar-nav mr-auto">
<?php
$nav[] = array('/about',              'about');
$nav[] = array('/test/batman/1/2/3',  'test private');
$nav[] = array('/test/0/1/2/3/4/5',   'test public');
$nav[] = array('/test/0/1/2/3/4/5/6', 'test 404');
$nav[] = array('/fail',               'fail');

foreach($nav as $link) {
  if($link[0] == $_SERVER['REQUEST_URI']) {
    $active = ' active';
  } else {
    $active = '';
  }
  print('          <li class="nav-item'.$active.'"><a href="'.$link[0].'" class="nav-link">'.$link[1].'</a></li>'.PHP_EOL);
}
?>
        </ul>
      </div>
    </nav>


=======================================
/path/to/site/base/error.php
---------------------------------------

<?php
require_once('inc_ini.php');
$status = array(
  100 => 'Continue',
  101 => 'Switching Protocols',
  102 => 'Processing',
  200 => 'OK',
  201 => 'Created',
  202 => 'Accepted',
  203 => 'Non-Authoritative Information',
  204 => 'No Content',
  205 => 'Reset Content',
  206 => 'Partial Content',
  207 => 'Multi-Status',
  226 => 'IM Used',
  300 => 'Multiple Choices',
  301 => 'Moved Permanently',
  302 => 'Found',
  303 => 'See Other',
  304 => 'Not Modified',
  305 => 'Use Proxy',
  306 => 'Reserved',
  307 => 'Temporary Redirect',
  400 => 'Bad Request',
  401 => 'Unauthorized',
  402 => 'Payment Required',
  403 => 'Forbidden',
  404 => 'Not Found',
  405 => 'Method Not Allowed',
  406 => 'Not Acceptable',
  407 => 'Proxy Authentication Required',
  408 => 'Request Timeout',
  409 => 'Conflict',
  410 => 'Gone',
  411 => 'Length Required',
  412 => 'Precondition Failed',
  413 => 'Payload Too Large',
  414 => 'URI Too Long',
  415 => 'Unsupported Media Type',
  416 => 'Range Not Satisfiable',
  417 => 'Expectation Failed',
  418 => 'I\'m a teapot',
  421 => 'Misdirected Request',
  422 => 'Unprecessable Entity',
  423 => 'Locked',
  424 => 'Failed Dependency',
  425 => 'Too Early',
  426 => 'Upgrade Required',
  428 => 'Precondition Required',
  429 => 'Too Many Requests',
  431 => 'Request Header Fields Too Large',
  451 => 'Unavailable For Legal Reasons',
  500 => 'Internal Server Error',
  501 => 'Not Implemented',
  502 => 'Bad Gateway',
  503 => 'Service Unavailable',
  504 => 'Gateway Timeout',
  505 => 'HTTP Version Not Supported',
  506 => 'Variant Also Negotiates',
  507 => 'Insufficient Storage',
  508 => 'Loop Detected',
  510 => 'Not Extended',
  511 => 'Network Authentication Required'
);

if(isset($_SERVER['REDIRECT_STATUS']) && !empty($_SERVER['REDIRECT_STATUS']) && is_numeric($_SERVER['REDIRECT_STATUS']) && $_SERVER['REDIRECT_STATUS'] != 200 && array_key_exists($_SERVER['REDIRECT_STATUS'], $status)) {
  $err['code'] = $_SERVER['REDIRECT_STATUS'];
  $err['text'] = $status[$_SERVER['REDIRECT_STATUS']];
} else {
  $err['code'] = 404;
  $err['text'] = 'Not Found';
}
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <base url="/">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title><?php print($err['code'].' '.$err['text']); ?></title>
    <link rel="stylesheet" href="/public/bootstrap/css/bootstrap.min.css">
  </head>
  <body>

<?php require_once('inc_nav.php'); ?>

    <div class="container-fluid my-5">

      <div class="row justify-content-center">
        <div class="col-auto">
          <div class="alert alert-light border mb-0 pb-0">
            <pre><?php
print('&nbsp;uri: '.$_SERVER['REQUEST_URI'].'<br>');
print('name: /path/to/site/'.basename($_SERVER['SCRIPT_FILENAME']).'<br>');
print('file: /path/to/site/'.basename(__FILE__).'<br>');

if(isset($_GET) && !empty($_GET)) {
  print('<br>'.'GET:'.'<br>');
  foreach($_GET as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}

if(isset($_POST) && !empty($_POST)) {
  print('<br>'.'POST:'.'<br>');
  foreach($_POST as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}
?></pre>
          </div>
        </div>
      </div>
      
      <div class="row justify-content-center">
        <div class="col-auto">
<?php
print('<h1 class="text-center display-4 mt-5">'.$_SERVER['REQUEST_URI'].'</h1>');

print('<h1 class="text-center display-3 mb-5">'.$err['code'].' '.$err['text'].'<h1>');

if(isset($_SERVER['HTTP_REFERER']) && !empty($_SERVER['HTTP_REFERER'])) {
  print('<h4 class="text-center">referrer: '.$_SERVER['HTTP_REFERER'].'</h4>');
}

print('<h4 class="text-center">'.date('Y-m-d H:i:s T').'<h4>');
if(isset($_SERVER['REMOTE_ADDR']) && !empty($_SERVER['REMOTE_ADDR'])) {
  print('<h4 class="text-center">'.$_SERVER['REMOTE_ADDR'].' : '.$_SERVER['REMOTE_PORT'].'<h4>');
}

print('<h4 class="text-center">'.$_SERVER['HTTP_USER_AGENT'].'<h4>');
?>
        </div>
      </div>

    </div>

    <script src="/public/jquery/jquery.min.js"></script>
    <script src="/public/bootstrap/js/bootstrap.bundle.min.js"></script>

  </body>
</html>


=======================================
/path/to/site/base/index.php
---------------------------------------

<?php require_once('inc_ini.php'); ?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <base url="/">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>open_basedir</title>
    <link rel="stylesheet" href="/public/bootstrap/css/bootstrap.min.css">
  </head>
  <body>

<?php require_once('inc_nav.php'); ?>

    <div class="container-fluid my-5">
    
      <div class="row justify-content-center">
        <div class="col-auto">
          <div class="alert alert-light border mb-0 pb-0">
            <pre><?php
print('&nbsp;uri: '.$_SERVER['REQUEST_URI'].'<br>');
print('name: /path/to/site/'.basename(dirname($_SERVER['SCRIPT_FILENAME'])).'/'.basename($_SERVER['SCRIPT_FILENAME']).'<br>');
print('file: /path/to/site/'.basename(dirname(__FILE__)).'/'.basename(__FILE__).'<br>');

if(isset($_GET) && !empty($_GET)) {
  print('<br>'.'GET:'.'<br>');
  foreach($_GET as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}

if(isset($_POST) && !empty($_POST)) {
  print('<br>'.'POST:'.'<br>');
  foreach($_POST as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}
?></pre>
          </div>
        </div>
      </div>
      
    </div>

    <script src="/public/jquery/jquery.min.js"></script>
    <script src="/public/bootstrap/js/bootstrap.bundle.min.js"></script>

  </body>
</html>


=======================================
/path/to/site/base/test.php
---------------------------------------

<?php require_once('inc_ini.php'); ?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <base url="/">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>open_basedir</title>
    <link rel="stylesheet" href="/public/bootstrap/css/bootstrap.min.css">
  </head>
  <body>

<?php require_once('inc_nav.php'); ?>

    <div class="container-fluid my-5">
      <div class="row">
        <div class="col">
          <div class="alert alert-light border mb-0 pb-0">
            <pre><?php
print('&nbsp;uri: '.$_SERVER['REQUEST_URI'].'<br>');
print('name: /path/to/site/'.basename(dirname($_SERVER['SCRIPT_FILENAME'])).'/'.basename($_SERVER['SCRIPT_FILENAME']).'<br>');
print('file: /path/to/site/'.basename(dirname(__FILE__)).'/'.basename(__FILE__).'<br>');

if(isset($_GET) && !empty($_GET)) {
  print('<br>'.'GET:'.'<br>');
  foreach($_GET as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}

if(isset($_POST) && !empty($_POST)) {
  print('<br>'.'POST:'.'<br>');
  foreach($_POST as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}
?></pre>
          </div>
        </div>
        <div class="col">
          <div class="card bg-dark text-white">
            <img class="card-img" src="/public/images/batman.jpg">
            <div class="card-img-overlay">
              <h5 class="card-title" style="text-shadow: 0px 0px 3px #000;">Public Image</h5>
              <p class="card-text" style="text-shadow: 0px 0px 3px #000;">Accessible for PUBLIC viewing</p>
              <p class="card-text" style="text-shadow: 0px 0px 3px #000;">&lt;img src="/public/image/batman.jpg"&gt;</p>
            </div>
          </div>
        </div>
        <div class="col">
          <div class="card bg-dark text-white">
            <img class="card-img" src="/private/images/batman.jpg">
            <div class="card-img-overlay">
              <h5 class="card-title" style="text-shadow: 0px 0px 3px #000;">Private Image</h5>
              <p class="card-text" style="text-shadow: 0px 0px 3px #000;">Accessible for PRIVATE viewing</p>
              <p class="card-text" style="text-shadow: 0px 0px 3px #000;">&lt;img src="/private/image/batman.jpg"&gt;</p>
            </div>
          </div>
        </div>
      </div>

    </div>

    <script src="/public/jquery/jquery.min.js"></script>
    <script src="/public/bootstrap/js/bootstrap.bundle.min.js"></script>

  </body>
</html>


=======================================
/path/to/site/base/about.php
---------------------------------------

<?php
require_once('inc_ini.php');
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <base url="/">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>open_basedir</title>
    <link rel="stylesheet" href="/public/bootstrap/css/bootstrap.min.css">
  </head>
  <body>

<?php require_once('inc_nav.php'); ?>

    <div class="container-fluid my-5">

      <div class="row justify-content-center">
        <div class="col-auto">
          <div class="alert alert-light border mb-0 pb-0">
            <pre><?php
print('&nbsp;uri: '.$_SERVER['REQUEST_URI'].'<br>');
print('name: /path/to/site/'.basename(dirname($_SERVER['SCRIPT_FILENAME'])).'/'.basename($_SERVER['SCRIPT_FILENAME']).'<br>');
print('file: /path/to/site/'.basename(dirname(__FILE__)).'/'.basename(__FILE__).'<br>');

if(isset($_GET) && !empty($_GET)) {
  print('<br>'.'GET:'.'<br>');
  foreach($_GET as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}

if(isset($_POST) && !empty($_POST)) {
  print('<br>'.'POST:'.'<br>');
  foreach($_POST as $key => $val) {
    print('['.$key.'] => '.$val.'<br>');
  }
}
?></pre>
          </div>
        </div>
      </div>
      
    </div>

    <script src="/public/jquery/jquery.min.js"></script>
    <script src="/public/bootstrap/js/bootstrap.bundle.min.js"></script>

  </body>
</html>


=======================================
/path/to/site/base/public.php
---------------------------------------

<?php
require_once('inc_ini.php');

foreach($_GET as $key => $val) {
  if($key != 'uri' && $key != 'file' && $val != '.' && $val != '..') {
    $file_test .= '/'.$val;
  }
}
$file = BASE.'/'.$file_test;
if(is_file($file)) {
  header('Content-Disposition: inline; filename="'.basename($file).'"');
  $ext = pathinfo($file, PATHINFO_EXTENSION);
  if($ext == 'css') {
    header('Content-type: text/css');
  } elseif($ext == 'js') {
    header('Content-type: text/javascript');
  } elseif($ext == 'txt') {
    header('Content-type: text/plain');
  } elseif($ext == 'jpg') {
    header('Content-type: image/jpg');
  } elseif($ext == 'png') {
    header('Content-type: image/png');
  } else {
    $finfo = finfo_open(FILEINFO_MIME);
    $mime = explode(';', finfo_file($finfo, $file))[0];
    header('Content-Type: '.$mime);
    header('Connection: Keep-Alive');
    header('Keep-Alive: timeout=5 max=100');
    header('Accept-Ranges: bytes');
  }
  header('Content-Length:'.filesize($file));
  readfile($file);
} else {
  $_SERVER['REDIRECT_STATUS'] = 404;
  $file = BASE.'/error.php';
  require_once($file);
}
?>


=======================================
/path/to/site/base/private.php
---------------------------------------

<?php
require_once('inc_ini.php');

if(isset($_SERVER['HTTP_REFERER'])) {
  $exp = explode('/', $_SERVER['HTTP_REFERER']);
  if($exp[3] == 'test' && $exp[4] == 'batman') {
    $ok = true;
  }
}

foreach($_GET as $key => $val) {
  if($key != 'uri' && $key != 'file' && $val != '.' && $val != '..') {
    $file_test .= '/'.$val;
  }
}
$file = BASE.'/'.$file_test;
if(is_file($file) && isset($ok)) {
  header('Content-Disposition: inline; filename="'.basename($file).'"');
  $ext = pathinfo($file, PATHINFO_EXTENSION);
  if($ext == 'css') {
    header('Content-type: text/css');
  } elseif($ext == 'js') {
    header('Content-type: text/javascript');
  } elseif($ext == 'txt') {
    header('Content-type: text/plain');
  } elseif($ext == 'jpg') {
    header('Content-type: image/jpg');
  } elseif($ext == 'png') {
    header('Content-type: image/png');
  } else {
    $finfo = finfo_open(FILEINFO_MIME);
    $mime = explode(';', finfo_file($finfo, $file))[0];
    header('Content-Type: '.$mime);
    header('Connection: Keep-Alive');
    header('Keep-Alive: timeout=5 max=100');
    header('Accept-Ranges: bytes');
  }
  header('Content-Length:'.filesize($file));
  readfile($file);
} else {
  $_SERVER['REDIRECT_STATUS'] = 404;
  $file = BASE.'/error.php';
  require_once($file);
}
?>


=======================================
demo site
---------------------------------------

https://base.oetec.com


=======================================
:0)
=======================================