There are two possible procedures here, which can also be combined:

File/directory rights

The web server software (nginx or apache) runs on the proServer with the user ID www, while the PHP scripts are executed with the user ID proserver. All files in the web server directory belong to the proserver user. In order for the web server to access a file or directory directly, the corresponding rights must be set for "all". If a file instead only has access rights set for the owner and possibly the group, access is only possible via PHP scripts, e.g. the CMS used in each case.

Example:

In your web server directory, you have a directory called fileadmin/downloads with files that should only be accessible via a download script with authentication. Then set the file permissions for the directory as follows:

[proserver@vproXXXX:~]$ chmod 750 fileadmin/downloads [proserver@vproXXXX:~]$ ls -ld fileadmin/downloads drwxr-x--- 2 proserver proserver 2 22 Nov. 11:58 fileadmin/downloads

Web server configuration

Apache

Apache allows you to restrict access to files or paths within the website with the help of .htaccess files. Frameworks such as TYPO3 usually also provide suitable templates that can be used (if necessary after adaptation to the conditions of your own website).

nginx

The nginx web server does not understand .htaccess files; access restrictions must therefore be included in the actual web server configuration. The TYPO3 project has suggestions for a sample configuration, which we will include in the /usr/local/etc/nginx/Includes/typo3.conf file for newly ordered proServers in the future. For existing proServers, you would have to copy this configuration into the appropriate file yourself; in both cases, however, you should check the configuration to see to what extent adjustments are necessary for your website.