how to conf apache that files outside the web root are not served

Forum Moderators: phranque

Message Too Old, No Replies

how to conf apache that files outside the web root are not served

blades

4:58 pm on Apr 10, 2013 (gmt 0)

Hi to all,
I'm new to the community with some very little knowledge about Ubuntu and servers. At this time I am trying to setup my own dedicated server but I don't know too much about these things. Reading an article from a third party site I stopped over on some necessary configurations about Apache.
One is saying that Apache must be configured that files outside the web root will not served by adding this code:

<Directory />
   Order Deny,Allow
   Deny from all
   Options None
   AllowOverride None
  </Directory>
  <Directory /web>
   Order Allow,Deny
   Allow from all
  </Directory>

the question is in which file should I add this code?

thank you in advance for any replies.

lucy24

6:59 pm on Apr 10, 2013 (gmt 0)

the question is in which file should I add this code?

In the config file. Counter-question: What were the other possibilities?

If it's your own server, you won't need htaccess files, so you can leave AllowOverride at None. Anything directory-specific goes in <Directory> sections within the config file.

Minor exception: Depending on your site, you may want to permit Options. This includes some features like auto-indexing and SSIs that are easiest to keep track of if you enable them in the appropriate directory rather than fiddling with the config file-- especially if you need to change things on the fly.

Apache says-- I assume you've seen this already--

For security and performance reasons, do not set AllowOverride to anything other than None in your <Directory /> block. Instead, find (or create) the <Directory> block that refers to the directory where you're actually planning to place a .htaccess file.

Unfortunately ErrorDocument is part of the huge "FileInfo" category, even though it's another thing you'd often want to change on a directory-by-directory basis.

If you're just setting up the server, you might start out being fairly generous with your AllowOverrides, so you don't need to restart the server every time you realize you need one directory to behave differently. Once everything is stabilized, shut off the AllowOverrides and shift the htaccess rules to <Directory> sections within the config file. Anything that can go in htaccess can also go in <Directory>. (The opposite is not always true.)

blades

2:48 pm on Apr 13, 2013 (gmt 0)

In the config file. Counter-question: What were the other possibilities?

I'm sorry for the late response,
ok in the config file but in /etc/apache2/
there are 2 config files
a)apache2.conf
and
b)httpd.conf

I assume that the correct answer is the 'a' but confirm please

lucy24

8:30 pm on Apr 13, 2013 (gmt 0)

Urk. I, on the other hand, would have guessed httpd.conf because I've got piles of those* but no apache2.conf. But you need someone who speaks apache. (I don't. Most of the time I can fake it with a solid RegEx background. This is not most of the time.)

:: looking vaguely around for g1 or someone like him ::

fwiw, Apache [httpd.apache.org] says it's normally called httpd.conf ;) I know that you already know that; I'm putting in the link so the next passing reader knows I'm not making it up out of my head.

What's in your apache2.conf file? All of mine just have miscellaneous bits of stuff-- obviously not complete config files. Are they meant as include files? If so, I have no idea what they'd be included in.

* I do not fully understand why there are 158 items on my hard drive with the .conf extension. That would seem to be 157 more than I need. Four of them are called apache-something. But the "real" config file used by MAMP is called httpd.conf

blades

5:46 pm on Apr 17, 2013 (gmt 0)

you are right,content should be added in the httpd.conf file