How visible is my /var/www to the outside world?

http apache-2.2

To directly answer your questions - you can either keep such files somewhere else or you can configure apache to deny access to them - denying access to *.bak is relatively simple.

Apache will, unless configured not to do so (as mentioned by MH above), generate and display a directory listing for any directory that does not contain an index file - defined by the DirectoryIndex directive, but typically index.html, index.htm, index.php, and similar.

On a more general note:

You may want to consider using a revision control system such as SVN or git (or even RCS) to keep old versions AND a change history of your web pages (including the ability to see what changed and when and, more importantly, the ability to revert to a previous version)

Both git and svn need a repository set up somewhere else. RCS is fairly primitive and basic but doesn't require any setup, it keeps the revision history in either the same directory or in a ./RCS subdirectory if one exists. One minor annoyance with RCS is that when you check-in a file, it changes the permissions to read-only, so you have to check it out again before you can edit it again (or use ci -l to check-in a file and immediately check it out).

IMO git is probably overkill for this job, SVN is close to ideal in terms of complexity vs capability for managing the revision history of a set of hand-edited HTML pages, and RCS is archaic but still useful. With RCS you can only edit files directly within /var/www which means the changes are "live" as soon as you save the file. With svn or git you can check out a local copy in, e.g., your home directory on your desktop machine, edit the files, check-in the changes, and then check-out the updates into /var/www on the server when it's finished. You can also check-out the changes to a staging server first for testing, before checking them out on the production server.

You can then deny access to the .svn/, .git/, RCS/ etc subdirectories with apache - e.g. see https://stackoverflow.com/questions/398008/deny-access-to-svn-folders-on-apache

Of course, using revision-control effectively will take a little discipline. you'll have to get into the habit of checking in your changes whenever you make them - it's worth the effort.


If you specify Options -Indexes for the Directory in question, then Apache will not generate a directory listing. However, if someone guesses the filename they could still access it if the operating system allows the web server to access the file.


If you have directory listing enabled then that file is certainly visible. Even if directory listing is not enabled, it isn't recommended to save a file that you don't want someone to see in /var/www because it is made for public documents.

Related

Why is Clonezilla faster than dd?
Why should iscsi traffic be isolated?
CA Certificate not trusted by Firefox
Windows SSH client
What are some informative and useful shell prompts? (Bash, csh, ksh, etc.)
Safe to delete C:\drivers?
Can I have separate IP for A record & MX record
Are a RJ11 jack and a RJ45 socket physically compatible?
Tips for managing storage of computer cables? [closed]
How do I smoothly migrate a web server's DNS from one IP address to another?
How to see disk usage with less overhead in bash?
How to shut down Windows Server 2003 without using RDP?