Recently, Moodle LMS has introduced significant changes to its folder structure and site architecture, especially in the latest versions and in response to security vulnerabilities. In particular, the introduction of the public folder prevents content from being directly accessible via URL, improving the protection of user and system data against unauthorized access. This is now a common practice to comply with security standards and to prevent potential attacks.
I would like to adopt this approach as well to increase the security of my domains and subdomains.
When creating a subdomain in Virtualmin, in the “Create Virtual Server” section, is it possible to automatically enable this structure with the public folder, or is it necessary to configure it manually after the virtual server has been created, using another option in Virtualmin?
Perhaps you mean creating a sub-server and not creating a subdomain. There is a difference between the two.
So, if your question is that when creating sub-servers, is it better to store the contents under public_html of the top-level virtual server? Answer: no it is not!
And Moodle might be more secure after putting content in the public folder, but Virtualmin and its top-level severs and sub-servers are quite secure in the shared hosting environment that Virtualmin creates and enables us to administer.
I conclude with the comment that Virtualmin’s sub-servers should be avoided if possible, even though they are quite secure and functional. Even for subdomains, I prefer to create a top-level virtual server rather than a sub-server.
Thank you for the clarification; I really appreciate the explanation and the perspective you shared. It’s clear that Virtualmin already provides a good level of security and that, in many cases, servers and sub-servers are reliable and well-managed solutions.
In my case, the choice doesn’t stem from doubts about Virtualmin’s security, but rather from a desire to adopt a more cautious and organized approach to site structure, following practices that are fairly common today. Separating what is publicly accessible from the rest of the content helps me work with greater peace of mind and clarity, especially over time.
Thank you again for the discussion — it has been very helpful in clarifying the different approaches.
Webmin/Virtualmin lets you stand up a server using your OS of choice with decades of experience behind the choices. It has ALWAYS been up to the web designer as to the structure. Lots of programs have put stuff up one level from public_html. This program isn’t offering anything new but perhaps admitting they got careless in their design process. I mean how much more descriptive does public_html have to be? What went in there, as I said, was always a design choice.
Maybe I didn’t explain myself clearly, so I apologize. The point is that I’m not yet sure how to proceed correctly with this kind of configuration.
My idea is simply to create and configure a public directory inside public_html to add an extra layer of protection, and I would like to do this during the creation of a subdomain (for example, subdomain.mysite.com).
Thank you for your patience and for the discussion.
Virtualmin is flexible enough to let you do just that.
If you have files within public_html that should not be accessible to the rest of the internet and you have a directory under public_html called xyz which has files that can be accessed by the rest of the internet, you can configure a virtual server to make only xyz the website documents sub-directory via Virtualmin → Web Configuration → Website Options.
I have no idea if Moodle will work normally if you change the the website documents sub-directory from public_html to public but doing so will keep everyone out of everything except public.
Yes, I’ve already seen that option in Virtualmin, and I understand the approach.
However, my difficulty is that it also requires changes to the code, and at the moment I’m not sure how to modify the code correctly to work with that setup.
So the issue is not the Virtualmin configuration itself, but rather how to adapt the application/code to use that directory structure properly, and I’m afraid of making mistakes.
That’s why I’m trying to understand the best way to proceed before applying the changes.
Don’t mess with the app’s defaults if you truly do not understand all of the ramifications. The public you refer to is probably equivalent to public_html. No need to nest a second. The program will then install the other stuff out of there depending on your configuration. That simply means it can’t be directly accessed by url and must go through the public facing web site in public_html.
The docs are pretty clear. You may be over thinking this?
Create an empty directory to hold Moodle files. It must not be in the area served by the web server and must have permissions so that the web server user can write to it. Other than that, it can be located anywhere. Typically, either make it owned by the web server user or give the web server write permissions to it. If it is on a shared/NFS drive, then read Caching - Moodle caches to this disk area by default, and a slow share will mean terrible performance.
Since I’m a beginner, I find it difficult to follow all the different suggestions and approaches being discussed here, as they vary quite a lot. For now, I’ve decided to stop here and take some time to better understand the basics.
I sincerely thank everyone for their availability, patience, and help.
The ONLY thing you need to study is this document. (Without reading it since I’m not going to spend the time on something that isn’t my project I will say public and public_html are probably the same thing and this is your basic misunderstanding.) https://docs.moodle.org/501/en/Installing_Moodle
+1 on @ID10T suggestion
Unless someone else chimes in with detailed instructions about Moodle
Best is to spend time studying the docs of Moodle and adjusting to Virtualmin
Unless you are offering for someone to invest time and experience to create a solution for you in Virtualmin then I would suggest starting a seperate topic for that
You can make any structure you want in /etc/skel. And you can make any configuration changes to any of the services Virtualmin manages you want in Server Templates (including custom directives in the VirtualHost).
I don’t understand what any of this has to do with subdomains (a subdomain is just a name and has no special meaning in Virtualmin). If you mean Sub-servers…why not also top-level Virtual Servers, too? Do Moodle apps in the top-level domain not need this public directory? Seems like you’re conflating concepts here.
Regardless, pretty much anything you can do in a Virtual Server, you can do in a Sub-Server, including adding extra directories or extra directives for your web server.