I'm building a web app with vue/quasar frameworks. The web app is dynamically populated with JSON comming from AJAX requests depending on the user actions.
The GUI created with vue is obviously public (and it's served from another machine that isn't the focus of this question) and everything else (static files and PHP scripts that serve JSON to client from DB) are private and reserved only for those that have a valid PHP session.
So the objective of this apache is in the first place manage the POST requests of the users trying to login and open them a PHP session. But mostly resend all the GET request to a single PHP script (¿front controller?) that first of all will check if the user has a correct session active. If everything it's correct serve the static file / call the necessary script.
To achieve that I have thought to only place the front controller in the public www folder, and put the rest of the scripts in a private folder that would be only accesible by PHP. And redirect all the GET requests to the front controller script with the apache rewrite engine.
Also, from what I have read seems that once found the file/data you have found it's better to use the x-sendfile header to not have to manually serve the file from PHP and adjust the headers manually when Apache it's there for that.
Then, my question is: It's that rationale correct? Maybe I'm not pressing the correct keys but I can't file extended information about that. I mean, you can find documentation about x-sendfiles headers, about php front controler scheme and about rewrite engine but it's difficult for me to find a single article doing this very thing with all this tools working together. Which leads me to question myself if I'm doing some idiocy. It's this the way to do it? There is something wrong in the rationale? There are better alternatives?
Thanks for your time,
Héctor