PHP From ZeroModern PHP course

deployment and operations

Web Server Configuration Overview

The web server accepts HTTP requests before PHP runs. It can terminate TLS, serve static files directly, apply request limits, and forward dynamic requests to PHP-FPM. Even when another team owns the configuration, a PHP developer should understand this boundary because routing and security failures often begin there.

Point Requests At The Public Directory

  • Set the public document root correctly.
  • Forward only PHP entry points or intended scripts to FPM.
  • Configure HTTPS, headers, body limits, and timeouts deliberately.

Verify Normal And Rejected Paths

  • Verify static assets.
  • Verify front-controller routing.
  • Reject access to private config and source files.

Check Every Layer That Can Reject A Request

  • Serving the repository root exposes private files.
  • Upload limits can differ across proxy, server, and PHP.
  • Incorrect rewrite rules create security and routing bugs.

Nginx Front Controller Sketch

root /srv/shop/current/public;
index index.php;

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

Uploads and long-running requests can be limited by a reverse proxy, the web server, FPM, and PHP configuration. When a request fails only in production, compare limits and timeouts across the whole path rather than changing one PHP setting at random.

Practice

Practice: Review A Public Document Root

Review a front-controller deployment before release. Include normal route checks, static asset checks, and requests that must be rejected.

Requirements

  • Set the public document root correctly.
  • Forward only PHP entry points or intended scripts to FPM.
  • Configure HTTPS, headers, body limits, and timeouts deliberately.
  • Verify static assets.
  • Verify front-controller routing.
  • Reject access to private config and source files.
Show solution

Set the document root to the app's public/ directory. Verify that a normal application route reaches index.php, a static asset loads directly, and a missing route receives the intended application response.

Then request paths that must never be public, such as .env, Composer metadata, source files, logs, and private uploads. Check upload limits and timeouts across any proxy, web server, FPM, and PHP configuration because each layer can reject the request.