When installing Drupal with Composer, the default setup places the core files within a /web subdirectory. While this structure has its advantages, many developers prefer to run their Drupal site directly from the root directory ( / ) for cleaner URLs and easier management. This article explores different approaches to achieve this, weighing the pros and cons of each method to help you make the best decision for your project.
By default, using composer create-project drupal/recommended-project ./ installs Drupal files in the /web directory.
This means your website is accessible via www.example.com/web. The goal is to make it accessible directly via www.example.com.
A common approach involves using an .htaccess file in the root to redirect traffic to the /web subdirectory. Here's a typical .htaccess configuration:
RewriteEngine on
RewriteRule (.*) web/$1 [L]
And uncommenting or adding the following to web/sites/default/settings.php:
if (isset($GLOBALS['request']) and '/web/index.php' === $GLOBALS['request']->server->get('SCRIPT_NAME')) {
$GLOBALS['request']->server->set('SCRIPT_NAME', '/index.php');
}
$settings['trusted_host_patterns'] = [
'^example\.com$',
'^.+\.example\.com$',
];
However, is this the correct way? The answer is: generally, no. This approach can introduce security risks.
One suggested solution involves modifying the Composer installation process itself. This approach, detailed in the Drupal documentation on modified installs, requires these steps:
Navigate to the desired root directory for your project: cd <directory containing the server document root directory>.
Create the Drupal project without installing dependencies: composer create-project --no-install drupal/recommended-project ./.
Modify the composer.json file to replace all references to web with the actual server document root directory (e.g., public_html or /srv/http as in the example).
Finally, install the dependencies: composer install.
Example:
If your server document root is /srv/http, you would:
cd /srv
composer create-project --no-install drupal/recommended-project ./
# Edit composer.json, replacing "web" with "http"
composer install
Important Consideration: Be aware that issues can arise with this approach, as detailed in this related Stack Overflow question.
The most secure and recommended solution involves two key components: using the drupal/legacy-project and configuring your web server correctly.
Use drupal/legacy-project: Instead of directly manipulating the /web folder, utilize the drupal/legacy-project. This project is specifically designed for installations where Drupal needs to run from the root.
composer create-project drupal/legacy-project .
Crucially, this project includes extra security measures, particularly the drupal/core-vendor-hardening package, to protect the vendor directory when exposed in the root. This is vital because the vendor folder contains sensitive code.
Configure the Web Server: Point your web server's document root to the /web subdirectory (or the renamed equivalent if you choose to rename it). All major web servers (Apache, Nginx, etc.) support this configuration. This is typically done by configuring a virtual host.
Why is this important? By directing the web server to the appropriate subdirectory, you avoid exposing sensitive files and directories (like vendor) directly to the web, mitigating potential security vulnerabilities.
Using .htaccess to rewrite the URL and point to the subdirectory is generally discouraged because:
vendor directory is a significant risk.drupal/legacy-project: It offers built-in security hardening..htaccess Rewrite Rules: They create security risks.By understanding these different approaches, you can confidently and securely run your Drupal site from the root directory, creating a cleaner and more manageable web environment. Always prioritize security best practices to safeguard your Drupal installation.
