Apache security

I've been reading up on server/apache security and I've run into a contradiction. I read that you shouldn't serve any files that aren't inside Apache's scope, but I've been told that you should keep files outside Apache's scope.

My current setup is:

Apache's scope: public_html/front. In the front folder I keep html, css, and javascript files. I also have a folder public_html/back, outside Apache's scope, which houses my PHP, database, and website backend files. All website directories and files have an owner/group of www-data. I'm running this all on Free BSD.

Should I have website files outside of Apache? Any other server security tips are appreciated.

Solution 1:

If you want the files served by Apache, they should be accessible by Apache.

However, you should not let Apache have write access to any files which it is not required.

If you have an upload directory, you can make Apache able to write in that directory, but it must not be able to write in your PHP files, css and such.

Solution 2:

Your setup is perfectly acceptable and I'd say it's even recommended.

Your DocumentRoot should ideally point only at files that need to be served to end users. Scripts and other assets that are used by your client-facing scripts can sit in a different directory (e.g. public_html/back as you have it). For example, your configuration files, database connectivity classes etc would sit in the non-public folders.

If you put everything under DocumentRoot, then you would have to secure those files so they don't get served to end users (for example, by blocking their download using .htaccess or using PHP to kill the request when those files are loaded directly).

One note I would have is that the name "public_html" suggests public facing files. In our company we have the DocumentRoot point to public_html (or equivalent) and the "back" files under a totally different directory as to avoid confusion.