The "no no for private" needed when private is outside root?

MatthijsG's picture

Is this piece of text needed in de .conf-file when the folder for private files is outside the root?

       # No no for private
        location ~ ^/sites/.*/private/ {
                return 403;

The location for private files is /home/foobar/filesprotected
The location for Drupal is /home/foobar/drupal7/
For an anonymous visitor it isn't possible to directly enter /home/foobar/filesprotected (duh .. ;-)



perusio's picture

anyway returning a 403 is not the best option, but rather a 404. Furthermore the RFC says it.

Also it's better to mark it internal.

## No no for private
location ~ ^/sites/[^/]*/private/ {

If the directory is outside of the web root, no.