Apache server configuration name resolution (virtual host naming + security)
- by Homunculus Reticulli
I have just setup a minimal (hopefully secure? - comments welcome) apache website using the following configuration file:
<VirtualHost *:80>
ServerName foobar.com
ServerAlias www.foobar.com
ServerAdmin [email protected]
DocumentRoot /path/to/websites/foobar/web
DirectoryIndex index.php
# CustomLog with format nickname
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "|/usr/bin/cronolog /var/log/apache2/%Y%m.foobar.access.log" common
LogLevel notice
ErrorLog "|/usr/bin/cronolog /var/log/apache2/%Y%m.foobar.errors.log"
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
<Directory /path/to/websites/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I am able to access the website by using www.foobar.com, however when I type foobar.com, I get the error 'Server not found' - why is this?
My second question concerns the security implications of the directive:
<Directory /path/to/websites/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
in the configuration above. What exactly is it doing, and is it necessary?. From my (admitedly limited) understanding of Apache configuration files, this means that anyone will be able to access (write to?) the /path/to/websites/ folder. Is my understanding correct? - and if yes, how is this not a security risk?