Directory inside or outside VirtualHosts?

apache-2.2 virtualhost httpd directory
6,598

A <Directory> inside of a <VirtualHost> will only apply to files within that directory when they are accessed via that VHost. <Directory> outside of a <VirtualHost> will always apply (unless overridden in the <VirtualHost> or elsewhere, of course).

From a security standpoint, you can argue both sides: additional levels of access (AllowOverride all, f.ex.) are probably wiser to configure inside a <VirtualHost>, since an unforeseen interaction between the scripts on another VHost might allow you to launch a XSS attack. Restrictions on access (Deny from all, Allow from 127.0.0.1) make more sense outside of a <VirtualHost>, in case there's a backdoor via something like a top-level Alias or ScriptAlias. And then you get into the really complicated possibilities: where does an AllowOverride all that powers an access restriction in an .htaccess go, since one might have a VHost which has its scripting engine disabled for performance or security reasons, but which then exposes a file with sensitive information typically protected by .htaccess?

At the end of the day, where to place the <Directory> ends up being a combination of three things, in increasing order of importance:

  1. Policy—if the company always puts <Directory> inside <VirtualHost>, it's almost certainly incorrect to rock the boat.
  2. Legibility—if you have six hundred VHosts, all of which need the same <Directory> stanza, it's probably worth breaking with policy.
  3. Security—If there's a clear security benefit to one approach or the other, then that is the de facto right choice, policy and legibility be damned (though you'd be well-advised to document why and how you broke with policy, and to take measures like using Include to maximize legibility).
Share:
6,598

Related videos on Youtube

Pablo
Author by

Pablo

You can find my blog at https://pupeno.com where I publish about coding and other stuff.

Updated on September 18, 2022

Comments

  • Pablo
    Pablo over 1 year

    Is there a difference between putting Directory tags inside or outside VirtualHosts? I found a configuration file that has several VirtualHosts all with the same Directory tag inside, and the same outside; so I'm thinking of getting rid of this duplication but I don't totally understand the semantics involved.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add another application to apache?
is "ServerAdmin [email protected]" required in the VirtualHost in Apache?
difference between _default_:* and *:* in VirtualHost Context
setup multiple https on same server using different ports
How to set up apache virtualhosts serving different directories?
How can I install httpd 2.2 in /etc/ directory in CentoOS 7
Best Apache & MySQL config for 16GB and 8 Cores
How to add /home/user/public_html as virtual host in apache - centos
Apache: override settings (like Timeout) inside a VirtualHost directive?
Running CGI With Perl under Apache Permission Problem