Custom Log File with Correct Permissions

I have a processing file for my website's payments. It works just fine, but what I would like to do is log all the requests to this page so that if anything throws an error, the raw data is saved and I can process the transaction manually. The processing file uses fopen to write to the log file in another directory.

What I have right now is a separate folder on my root directory with permissions 755. Then a log file inside with permissions 777. The processing file that writes to the log file, in PHP if that matters, is set to 777.

This works right now, b开发者_如何学运维ut the log file is publicly available. I know I can be doing this better and that the permissions aren't correct. How can I do this better?

Put the log file outside the document root. The PHP script that writes to it will still be able to get to it (via the full path) but Apache won't be able to serve it.

I came across this whilst searching the answer for myself. I don't believe there is a simple "permissions fix" to do what you want and perhaps the safest way is to put the log files outside of public_html directory.

However this can be a nuisance sometimes - especially if you are wanting to e.g. catch paypal ipn dump text in a log file, but not have it publicly accessible.

In such cases, you can use .htaccess file directives to allow write from script, but deny reading from public access.

For example, this works for me (Apache .htaccess in root public_html folder);

 <FilesMatch "mycustom\.log">
   Order allow,deny
   Deny from all
 </FilesMatch>

and if you have multiple logs you want to protect, use it like this, with "Pipe Separated";

 <FilesMatch "mycustom\.log|ipn_errors\.log">
   Order allow,deny
   Deny from all
 </FilesMatch>

It is worth noting that the above directives are deprecated as of apache 2.4 and you may wish to consider using more current directives instead: https://httpd.apache.org/docs/2.4/howto/access.html

Hope that helps you!