I have a general question about security of Apache DocumentRoot, which comes from a statement I read when installing Galaxy, a bioinformatic web service and infrastructure. The statement says
"Please note that Galaxy should never be located on disk inside Apache's DocumentRoot.
By default, this would expose all of Galaxy (including datasets) to anyone on the web."
This paragraph is copied from
https://wiki.galaxyproject.org/Admin/Config/ApacheProxy
So the question is what's the difference between putting some contents in DocumentRoot vs putting in a sub-directory of DocumentRoot? Even if the contents are put in a sub-directory, by default, would it also be true that all the contents will be exposed to anyone on the web?
If I put the contents in DocumentRoot of an SSL server, and only allow authenticated and authorized users to access, would this resolve the world-wide access issue?
Update: Thank you all for your thoughtful answers. I think I had all my questions answered. To summarize:
-
A sub-directory in DocumentRoot will be accessible to everyone unless it has different permissions set.
-
SSL only protect the packets transferred over the networks, not the permission of the files.
-
Authentication/authorization will limit who can access DocumentRoot.
-
Unix/Linux file permissions won't affect the access as all files must be accessible by the web server owner.
Best Answer
A subdirectory of the DocumentRoot is still considered within the DocumentRoot.
When some software packages advise against placing part of the package inside DocumentRoot, the intent is that it should be actually outside of the DocumentRoot.
So, for instance, if your DocumentRoot is
/var/www/example.com/htmlyou might want to put those files somewhere else entirely, like say/var/www/example.com/restrictedAnd no, SSL does not solve, nor even address, the concern regarding having sensitive configuration files inside the doc root!