Security of Apache DocumentRoot

security apache-2.2 documentroot

I have a general question about security of Apache DocumentRoot, which comes from a statement I read when installing Galaxy, a bioinformatic web service and infrastructure. The statement says

"Please note that Galaxy should never be located on disk inside Apache's DocumentRoot.
By default, this would expose all of Galaxy (including datasets) to anyone on the web."

This paragraph is copied from https://wiki.galaxyproject.org/Admin/Config/ApacheProxy

So the question is what's the difference between putting some contents in DocumentRoot vs putting in a sub-directory of DocumentRoot? Even if the contents are put in a sub-directory, by default, would it also be true that all the contents will be exposed to anyone on the web?

If I put the contents in DocumentRoot of an SSL server, and only allow authenticated and authorized users to access, would this resolve the world-wide access issue?

Update: Thank you all for your thoughtful answers. I think I had all my questions answered. To summarize:

  1. A sub-directory in DocumentRoot will be accessible to everyone unless it has different permissions set.

  2. SSL only protect the packets transferred over the networks, not the permission of the files.

  3. Authentication/authorization will limit who can access DocumentRoot.

  4. Unix/Linux file permissions won't affect the access as all files must be accessible by the web server owner.


A subdirectory of the DocumentRoot is still considered within the DocumentRoot.

When some software packages advise against placing part of the package inside DocumentRoot, the intent is that it should be actually outside of the DocumentRoot.

So, for instance, if your DocumentRoot is /var/www/example.com/html you might want to put those files somewhere else entirely, like say /var/www/example.com/restricted

And no, SSL does not solve, nor even address, the concern regarding having sensitive configuration files inside the doc root!


To add to Joe Sniderman's answer, putting files outside the document root makes them inaccessible to a user entering in the url in their browser, but still available to scripts running in the document root.

For instance, you create a report that anonymizes and aggregates user login data. You put the script in your document root as /var/www/example.com/html/report.php so others can see how popular your site is.

Your report must consume the raw user data, so it references a file /var/www/example.com/restricted/login.log as the source. This file is not in the document root and is therefore not accessible except through report.php, which anonymizes the data anyway. You wouldn't want the raw data to be public so you keep that sensitive data away from the document root.


Anything under DocumentRoot is considered part of the website, and will duly be delivered by Apache if you know the path.

BUT....

It's very easy to protect a folder. Just make a rewrite rule around it, or access control, or whatever.

But it's even better to put your various scripts somewhere else. THe other answers have lines like this:

/var/www/example.com/restricted

But that is not outside DocumentRoot. This is outside:

/var/www/example.com-scripts/

or:

/var/admin-code/example.com/

or really anywhere else in the filesystem. All you need is software that expects it's code to live elsewhere, and a config setting where you tell it where the folder is.

As mentioned, SSL does nothing for you, other than ensure that hacker #2 cannot eavesdrop on hacker #1 reading your database passwords.


The citation

"Please note that Galaxy should never be located on disk inside Apache's DocumentRoot. By default, this would expose all of Galaxy (including datasets) to anyone on the web."

applies to a PARTICULAR SOFTWARE and how it expects the setup to be done!

According to the above. the default Galaxy configuration may imply that that all the files underneath ("inside") the DocumentRoot are accessible.

This is why you are supposed to move the files not be be accessed out of there.

This assumption may not be true in other installation or a non-standard installation of Galaxy. In particular, Directory instructions may open or close parts of the filesystem, Location instructions may open or close parts of the URI tree, Alias instruction may map filesystem subtree onto an URI, and filesystem-level permissions as well as mandatory access control (via SELinux or other system= may allow or grant access to parts of the filesystem to the webserver process.

An example for "moving outside of the DocumentRoot":

enter image description here

Related

The Content-Length header does not exist
For an internet-facing, all-roles-in-one Exchange server, what do I need to let through the firewall?
Ubuntu cron job every workday
AWS: reduce nat gateway costs for a small system
AWS instance giving me less NVMe space than advertised [closed]
Things to consider when backing up Windows 2003 Server
I have administrative rights on Windows Server 2003, so why am I denied access to a folder?
Using rsync to quickly upload a file that is similar to another file
What is the perfect setup for a small Linux virtual server?
howto plan RAID for ESX
Escape a star (*) character in bash
Creating an IT Budget [closed]