I am looking for some help in moving the Moodle Config File outside of the webroot directory as it provides a much more secure environment.
Can anyone please offer me assistance in achieving this?
Why? I know what you said... really why? If your file permissions are correct then it's just as secure in the webroot as it is anywhere else. If Moodle works at all then all PHP files are fundamentally secure - how can you download one as opposed to run it as a script? Anyway, the only potentially insecure thing it contains is the database permissions and if you have set that up properly they shouldn't be much use to anybody anyway.
Regardless of the above, the file is referenced relatively from many (most?) files in Moodle so it can't be moved.
Oh, moving to security and privacy forum...
Make a config.php file containing just
<?php require_once('/some/other/path/real-config.php); require_once(dirname(__FILE__) . '/lib/setup.php');
This didnt seem to work.
The result was a single white page with nothing on it.
Have put everything back as it was and is working fine but would love to get the config file outside the root directory
I understand why you may want to move the config outside the webroot, but there really is no need.
Unless you've really broken something, visiting config.php in your browser reveals nothing to an end user - as the PHP is parsed on the server and goes nowhere.
The only reason i intend on doing it is because it is possible to read a php file into a string and display the information it contains.
I want to prevent people from being able to access the sensitive information that the config file contains.
I do understand the odds of this happening are small but still better safe than sorry.
It doesn't matter where the config file is from that perspective. You can dump $CFG anywhere, and will get everything the config file contains - but getting PHP onto the server as a user, and being able to execute it, is a different story. Moodle is very well hardened against attacks such as this.
That said, if you're aware of a specific, repeatable attack vector that exists in Moodle, please report it on the Tracker, ensuring you select the appropriate security level so that it is dealt with correctly.
Just checking the obvious: I hope you did not take me literally. I hope you made a file real-config.php (or whatever you called it) and put (almost) everything that used to be in config.php there.
Then, put the actual path to that file in the minimal config.php.
When it failed, were you able to get any useful error messages out (e.g. in the logs)?
haha of course.
I had the false config file with the code you presented in the root directory of the moodle installation.
and moved the original config file outside of the root directory into a secure includes folder outside the public html as I have done for multiple wordpress installations.
I then included the relative path in the false config file and saved it all and the only thing that come up was a blank white page.
not entirely sure what the problem was. as it is not self hosted I cannot really access most of the logs.
When you say, "the only thing that come up was a blank white page", how did you generate this? If you navigated to "[yourmoodleurl]/config.php", the only think you should get is a white page. That's what makes it secure. If you navigated to your site home page, then there is a problem.
mike
I am navigating to the home page.
If I was getting a blank page when visiting config.php I would be fine but the problem is I'm not even getting the main website.
when i visit my regular URL i get a blank page.
I was able to get it working outside the directory this morning with the following setup:
In the moodle root directory i have a config file with the following:
<?php require_once('/home/ccccp041/secureincludes/moodle-config.php'); require_once(dirname(__FILE__) . '/lib/setup.php');
In the Secure Includes Directory I have my normal Moodle Config File:
//require_once(dirname(__FILE__) . '/lib/setup.php');
THIS IS THE ONLY LINE I CHANGED by noting out this line it allows the other reference to this file in the false or header config file to be called instead thus getting it working.
please consider the topic closed