Relative security of various apache setups

Chris G cl at isbd.net
Wed Jan 2 11:28:16 UTC 2008


I run apache on my home Fedora 7 system and have my ADSL router set up
to allow access from the internet.

It all works OK at the moment, I have the DocumentRoot set to be
publically accessible and have a couple of sub-directories with
restricted access for pages that I don't want to be visible to
the outside world.

These restricted areas are set up as follows:-

    <Directory /var/www/html/maxine>
        AllowOverride None
        Order Deny,Allow
        Deny from all
        Allow from 192.168.1 193.128.168.194
        AuthType Basic
        AuthName "ISBD Home Server"
        AuthUserFile /etc/httpd/conf/passwd
        Require valid-user
        Satisfy Any
    </Directory>


However I was wondering if other arrangements would be any more secure
and/or easier to maintain.  These are not hugely important documents
or anything, just stuff I'd rather keep private like appointments and
other bits and pieces of personal information.

One obvious thing would be to reverse the logic and make the
DocumentRoot have restricted access (as above) and then explicitly
allow public access to one directory.  I suspect this would be less
prone to inadvertently allowing access to unintended places due to
symbolic links etc.  Are there any downsides to this approach (apart
from requiring a slightly longer URL for anything with public access)?


Another approach would be to use virtual domains (I can use
sub-domains of a domain I own for this, my home machine is already
accessed this way).  Apart from the convenience of dedicated domains
for the public and less-public areas does this offer any improvement
(or otherwise) in security?


Are there any other approaches possible?

-- 
Chris Green




More information about the users mailing list