Directory inside or outside VirtualHosts?

directory apache-2.2 httpd virtualhost

Is there a difference between putting Directory tags inside or outside VirtualHosts? I found a configuration file that has several VirtualHosts all with the same Directory tag inside, and the same outside; so I'm thinking of getting rid of this duplication but I don't totally understand the semantics involved.


Solution 1:

A <Directory> inside of a <VirtualHost> will only apply to files within that directory when they are accessed via that VHost. <Directory> outside of a <VirtualHost> will always apply (unless overridden in the <VirtualHost> or elsewhere, of course).

From a security standpoint, you can argue both sides: additional levels of access (AllowOverride all, f.ex.) are probably wiser to configure inside a <VirtualHost>, since an unforeseen interaction between the scripts on another VHost might allow you to launch a XSS attack. Restrictions on access (Deny from all, Allow from 127.0.0.1) make more sense outside of a <VirtualHost>, in case there's a backdoor via something like a top-level Alias or ScriptAlias. And then you get into the really complicated possibilities: where does an AllowOverride all that powers an access restriction in an .htaccess go, since one might have a VHost which has its scripting engine disabled for performance or security reasons, but which then exposes a file with sensitive information typically protected by .htaccess?

At the end of the day, where to place the <Directory> ends up being a combination of three things, in increasing order of importance:

  1. Policy—if the company always puts <Directory> inside <VirtualHost>, it's almost certainly incorrect to rock the boat.
  2. Legibility—if you have six hundred VHosts, all of which need the same <Directory> stanza, it's probably worth breaking with policy.
  3. Security—If there's a clear security benefit to one approach or the other, then that is the de facto right choice, policy and legibility be damned (though you'd be well-advised to document why and how you broke with policy, and to take measures like using Include to maximize legibility).

Related

How to change keyboard layout permanently?
Serving static files with amazon s3 vs nginx
Is there a way to set up Avahi to implement "anycast name resolution" on a LAN?
How do I obscure my Wordpress install via htaccess?
lots of packets pruned and packets collapsed because of socket buffer low/overrun
Associate File Extension with Java Application
How can I force initial conditions for optimal control problem in Gekko?
API reference to WebKit WebView implementation in GTK (Python) [closed]
MiniCssExtractPlugin is not a constructor
How does MySQL do I/O? [closed]
Node.js Mqtt client : matched topic
how do I fix this error with async functions `sys:1: RuntimeWarning: coroutine 'finish_process' was never awaited`