diff --git a/conf/apache2/heroku.conf b/conf/apache2/heroku.conf
index e5674375f..f6410edac 100644
--- a/conf/apache2/heroku.conf
+++ b/conf/apache2/heroku.conf
@@ -1,46 +1,62 @@
+# define a short-hand to our fcgi proxy, for convenience
 # Define heroku-fcgi fcgi://127.0.0.1:4999
-Define heroku-fcgi unix:/tmp/heroku.fcgi.${PORT}.sock|fcgi://localhost
+Define heroku-fcgi unix:/tmp/heroku.fcgi.${PORT}.sock|fcgi://heroku-fcgi
+
+# make sure the proxy is registered with the unix socket; we can then use just "fcgi://heroku-fcgi" in rewrites
+# we have to do this because we can't rewrite to a UDS location; Apache will complain that no handler is loaded
+# this is also a lot more convenient for users
+# http://thread.gmane.org/gmane.comp.apache.devel/52892
+<Proxy "${heroku-fcgi}">
+    # we must declare a parameter in here or it'll not register the proxy ahead of time
+    ProxySet disablereuse=off
+</Proxy>
 
 Listen ${PORT}
 
 <VirtualHost *:${PORT}>
 
     ErrorLog /tmp/heroku.apache2_error.${PORT}.log
-	CustomLog /tmp/heroku.apache2_access.${PORT}.log combined
-	
+    CustomLog /tmp/heroku.apache2_access.${PORT}.log combined
+
+    <Directory ${HEROKU_APP_DIR}>
+        # lock it down fully by default
+        # if it's also the docroot, it'll be opened up again further below
+        Require all denied
+        <FilesMatch "^(\.|composer\.|Procfile$)">
+            # explicitly deny these again, merged with the docroot later
+            Require all denied
+        </FilesMatch>
+    </Directory>
+    # handle these separately; who knows where they are and whether they're accessible
+    <Directory ${HEROKU_APP_DIR}/${COMPOSER_VENDOR_DIR}>
+        Require all denied
+    </Directory>
+    <Directory ${HEROKU_APP_DIR}/${COMPOSER_BIN_DIR}>
+        Require all denied
+    </Directory>
+
     DocumentRoot ${DOCUMENT_ROOT}
 
     <Directory ${DOCUMENT_ROOT}>
-        #
-        # Possible values for the Options directive are "None", "All",
-        # or any combination of:
-        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
-        #
-        # Note that "MultiViews" must be named *explicitly* --- "Options All"
-        # doesn't give it to you.
-        #
-        # The Options directive is both complicated and important.  Please see
-        # http://httpd.apache.org/docs/2.4/mod/core.html#options
-        # for more information.
-        #
-        Options Indexes FollowSymLinks
-
-        #
-        # AllowOverride controls what directives may be placed in .htaccess files.
-        # It can be "All", "None", or any combination of the keywords:
-        #   AllowOverride FileInfo AuthConfig Limit
-        #
+        Options FollowSymLinks
+
+        # allow .htaccess to do everything
         AllowOverride All
 
-        #
-        # Controls who can get stuff from this server.
-        #
+        # no limits
         Require all granted
-    </Directory>
 
-    # ProxyPassMatch ^/(.*\.php(/.*)?)$ ${heroku-fcgi}${DOCUMENT_ROOT}/$1 # for TCP sockets
-    ProxyPassMatch ^/(.*\.php(/.*)?)$ ${heroku-fcgi}${DOCUMENT_ROOT}
+        # default rewrite to send all .php requests to FastCGI
+        # ProxyPass has a boatload of issues with access control, DirectoryIndex et cetera, so we're not using it
+        RewriteEngine On
+        RewriteOptions InheritBefore
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^(.*\.php(/.*)?)$ fcgi://heroku-fcgi${DOCUMENT_ROOT}/$1 [L,P]
+    </Directory>
 
     Include ${HEROKU_PHP_HTTPD_CONFIG_INCLUDE}
 
+    # ProxyPassMatch ^/(.*\.php(/.*)?)$ ${heroku-fcgi}${DOCUMENT_ROOT}/$1 # for TCP sockets
+    # ProxyPassMatch ^/(.*\.php(/.*)?)$ ${heroku-fcgi}${DOCUMENT_ROOT}
+
 </VirtualHost>