Directory inside or outside VirtualHosts?
A <Directory> inside of a <VirtualHost> will only apply to files within that directory when they are accessed via that VHost. <Directory> outside of a <VirtualHost> will always apply (unless overridden in the <VirtualHost> or elsewhere, of course).
From a security standpoint, you can argue both sides: additional levels of access (AllowOverride all
, f.ex.) are probably wiser to configure inside a <VirtualHost>, since an unforeseen interaction between the scripts on another VHost might allow you to launch a XSS attack. Restrictions on access (Deny from all
, Allow from 127.0.0.1
) make more sense outside of a <VirtualHost>, in case there's a backdoor via something like a top-level Alias or ScriptAlias. And then you get into the really complicated possibilities: where does an AllowOverride all
that powers an access restriction in an .htaccess
go, since one might have a VHost which has its scripting engine disabled for performance or security reasons, but which then exposes a file with sensitive information typically protected by .htaccess
?
At the end of the day, where to place the <Directory> ends up being a combination of three things, in increasing order of importance:
- Policy—if the company always puts <Directory> inside <VirtualHost>, it's almost certainly incorrect to rock the boat.
- Legibility—if you have six hundred VHosts, all of which need the same <Directory> stanza, it's probably worth breaking with policy.
- Security—If there's a clear security benefit to one approach or the other, then that is the de facto right choice, policy and legibility be damned (though you'd be well-advised to document why and how you broke with policy, and to take measures like using
Include
to maximize legibility).
Related videos on Youtube
Pablo
You can find my blog at https://pupeno.com where I publish about coding and other stuff.
Updated on September 18, 2022Comments
-
Pablo over 1 year
Is there a difference between putting Directory tags inside or outside VirtualHosts? I found a configuration file that has several VirtualHosts all with the same Directory tag inside, and the same outside; so I'm thinking of getting rid of this duplication but I don't totally understand the semantics involved.