asked on
Apache Document Root Architecture
If I am setting my machine up to run Apache 2.2 for both development and light production as an external facing web server, what is the best folder structure to establish? A Documentroot that has a folder with each project underneath it? Are there other considerations or configuration settings that I must consider for this setup?
Thanks,
Mike
Thanks,
Mike
Apache Web Server
Last Comment
Steve Bink
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
> .. it falls to Apache to keep isolation intact.
and the OS, and the DB, and other applications, and ... and ... and ...
theoretically you can secure apache and your application, and do you do that in practice, always, all day?
in theory, theory and praxis are identical, in praxis they're not
and the OS, and the DB, and other applications, and ... and ... and ...
theoretically you can secure apache and your application, and do you do that in practice, always, all day?
in theory, theory and praxis are identical, in praxis they're not
>>> and the OS, and the DB, and other applications, and ... and ... and ...
Too true. If an application allows file access into the document root, then separating those document roots implements a needed level of isolation.
Of course, if the application allows unrestricted file system access (e.g., user-provided targets for file(), file_get_contents(), etc., without whitelisting), having separate document roots does not really do anything. In that case, every document root would be accessible, limited only by file/directory permissions in the context of Apache's user. But, that is something to be addressed in the application logic.
And I guess there lies the advantage of multiple Apache installations - you can set your production environment to use a much more restricted user than your dev environment.
Too true. If an application allows file access into the document root, then separating those document roots implements a needed level of isolation.
Of course, if the application allows unrestricted file system access (e.g., user-provided targets for file(), file_get_contents(), etc., without whitelisting), having separate document roots does not really do anything. In that case, every document root would be accessible, limited only by file/directory permissions in the context of Apache's user. But, that is something to be addressed in the application logic.
And I guess there lies the advantage of multiple Apache installations - you can set your production environment to use a much more restricted user than your dev environment.
You do need to make sure you have separate document roots, at the very least. If your development application can be infiltrated, which is often the case before you have thoroughly vetted your code, it falls to Apache to keep isolation intact.