Public_files_dir be placed outside the web root

my5660 · February 10, 2026, 8:32am

Hi, Everyone

I’m just curious if public_files_dir can be placed outside the web root on OJS 3.3.0.21.

I’ve tried placing public_files_dir outside the web root, and it works for displaying images, but there’s a problem when uploading images.

The nginx configuration used is:
location ^~ /public/ {
alias /nfs/data/jurnal.ut.ac.id/public/;

location ~* \.(php|phar|phtml|pl|py|jsp|sh|cgi|exe|bat)$ {
    return 403;
}

}
location ^~ /files/ {
alias /nfs/data/jurnal.ut.ac.id/files/;
location ~* .(php|phar|phtml|pl|py|jsp|sh|cgi|exe|bat)$ {
return 403;
}

}

Thank you in advance.

asmecher · February 10, 2026, 3:57pm

Hi @my5660,

Just to be clear – the public_files_dir and files_dir are two different directories. The files_dir must be placed outside the web root, or protected from direct access. The public_files_dir, on the other hand, should be placed inside the web root.

The public_files_dir is used for banner images, public CSS, and other elements that need to be accessible directly via the web server. It doesn’t make sense to move it outside web root. If you want to harden the installation, you can configure your web server to limit the types of files that can be accessed there e.g. to .css, .jpg, and .gif (off the top of my head).

OJS provides safety for third-party content uploaded into the public_files_directory by limiting file types (and extensions) that can be uploaded there.

Regards,
Alec Smecher
Public Knowledge Project Team