I suppose this is more of a house keeping question, but here it goes.
If I create a backup file of my index.html called index.html.bak, is it possible that someone from the outside using http on my apache2 server is able to list the contents of my /var/www directory? I currently know no method of doing this, but this could be due to my lack of experience in this area. Should I store files that need not to be in view somewhere else?
Currently, the only feasible way I can think that someone might discover the file is if there was an explicit link somewhere pointing to the file. How visible is my web directory?
Best Answer
To directly answer your questions - you can either keep such files somewhere else or you can configure apache to deny access to them - denying access to *.bak is relatively simple.
Apache will, unless configured not to do so (as mentioned by MH above), generate and display a directory listing for any directory that does not contain an index file - defined by the DirectoryIndex directive, but typically index.html, index.htm, index.php, and similar.
On a more general note:
You may want to consider using a revision control system such as SVN or git (or even RCS) to keep old versions AND a change history of your web pages (including the ability to see what changed and when and, more importantly, the ability to revert to a previous version)
Both git and svn need a repository set up somewhere else. RCS is fairly primitive and basic but doesn't require any setup, it keeps the revision history in either the same directory or in a ./RCS subdirectory if one exists. One minor annoyance with RCS is that when you check-in a file, it changes the permissions to read-only, so you have to check it out again before you can edit it again (or use
ci -lto check-in a file and immediately check it out).IMO git is probably overkill for this job, SVN is close to ideal in terms of complexity vs capability for managing the revision history of a set of hand-edited HTML pages, and RCS is archaic but still useful. With RCS you can only edit files directly within /var/www which means the changes are "live" as soon as you save the file. With svn or git you can check out a local copy in, e.g., your home directory on your desktop machine, edit the files, check-in the changes, and then check-out the updates into /var/www on the server when it's finished. You can also check-out the changes to a staging server first for testing, before checking them out on the production server.
You can then deny access to the .svn/, .git/, RCS/ etc subdirectories with apache - e.g. see https://stackoverflow.com/questions/398008/deny-access-to-svn-folders-on-apache
Of course, using revision-control effectively will take a little discipline. you'll have to get into the habit of checking in your changes whenever you make them - it's worth the effort.