I run my Apache as user:group apache:apache and all of the files under /var/www are owned by apache:apache. rwx permissions are 000 for others, only the apache user and apache group members can access the directory structure.
I'm not running the same apps you are, but it should work since I have read/write access to the required files and directories while not allowing other users access to anything under /var/www
Hope that helps - or at least starts some debate...