When serving a site with Apache, there are two ways that I know of placing some content at "servername/foo":
- Place it in the web root under a folder called 'foo'
- Create an alias
As an example of #2, XAMPP has these statements in a config file:
Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
<Directory "C:/xampp/phpMyAdmin">
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
…Which means "if the server is localhost, and somebody visits localhost/phpmyadmin, show them the contents of C:/xampp/phpMyAdmin, given the following permissions."
In this example, given that phpMyAdmin is accessible from the same URL, does it matter from a security perspective whether it's in the web root folder or just aliased to look as though it were?
Best Answer
For "regular" (static) apache and if you narrow the example down to a tight 1:1 scenario: No, it does not matter. Hypothetically if you mix and mash and lose track of what permissions are inherited where, you could maybe expose something you didn't mean to.
I think most importantly it does make it easier for a distinct code branch to be owned (and possibly therefore written to) by a separate user than the one you use for your webserver and document root. This is needed for reliable packaging, and reliable packaging is a core part of long term security.
Also keep in mind that apache modules can be pretty dang flexible. So while the core apache stuff won't behave any differently, third party authentication modules or even php settings like open_basedir and include_path can vary behavior.