Using /var/www vs. /srv vs. /home/user/public_html
 

Have to decide whether to use /var/www or /home/user/public_html to store website is my question. I have read conflicting information /home/user/public_html: 1) opens up more access to your system. 2) Creates a longer search time for files.
If I use /srv directory it is just linked to /var/www and if i upgrade Apache I don't have to worry about wiping out my sites?
Can you please give me the pros and cons regarding where to physically put web files for public access.
If I don't use /home/user/public_html then I only need a small /home partition since I will be the only one building web pages and have seperate desktop.
Also this slackware box has 2 160gb ata hdd so whether or not i use /var/www I should put it on its own partition for security precautions?

Finally can anyone tell me how to mount /tmp no dev instead of with default?
Thank you

Depends on how you define "more access". The apache user has to be able to read the files being served and, depending on what is being served, may need to have execute privileges as well on some files. If you give global access to files (chmod 777), then yeah, you've opened up your system to abuse. However, if you think about what is happening and set permissions appropriately, it should be manageable.
I can't imagine that this is really an issue on a modern system. One of the reasons to use /home/user/public_html is that you're using virtual hosts, in which case apache will already know where to look for things. It isn't randomly searching the disk looking for things to serve.

Upgrades the Apache should never touch the sites themselves. The working bits of Apache don't live where the served files are, so it isn't a danger. You may have to do some reconfiguration after an upgrade to make sure the upgraded Apache knows where everything is, but the served files themselves shouldn't be touched.

The short answer is that it probably doesn't matter all that much. If you don't use the standard locations, you just have to adjust your config files. No big deal. Probably a bigger concern is non-Apache related, which is where on your disk do you have sufficient space to host the files. Personally, I like to keep the files on a different partition from the system so that if I change distros, the web pages aren't touched.
Putting /var/www on its own partition really does nothing for security. However, it may give you the ability to change your system later without having to erase your web pages.
I've never done it, but I would think you would add the nodev option to /tmp in your /etc/fstab file.

Thank you Hangdog42 your detailed and helpful response.

I know i marked this thread as solved but maybe i can just get the answers to these basic questions?
I google and the first question did not generate much. I'm looking at Apache site but some of it is really hard to read if you find the topic answers

At the risk of sounding stupid I am going to ask anyway what is the difference between DocumentRoot and UsrRoot?
How does the function of DocumentRoot and UsrRoot affect the use of /var/www as opposed to /srv/www? I know this is really basic but I need to understand it.
If I am using /srv/www then it gets its' own partition, right?

Well, there is no such thing as a stupid question, and in this case I'm also going to risk it beacuse I've never even heard of UsrRoot and can't seem to find it in the Apache documentation. Could you provide a link to where you've read about it? DocumentRoot is the location of the files that will be served, and can be set at both the system and virtual levels.


You can set DocumentRoot to point to whatever directory you like. If you do this at the system level (httpd.conf), that is used as the system default. However, it can be overridden by setting up a virtual host with its own DocumentRoot. In that case, the virtual host DocumentRoot applies to that virtual host only.

That depends upon how your disk is partitioned and has nothing to do with Apache.

I guess he means UserDir instead of UsrRoot, which gives ability for any user on your system to host files on your apache by using their directory /home/userlogin/public_html. Files there can be accessed trough your webserver at: http://your.server/~userlogin

About the security measures you were worried about:

Allowing that public directory to be served by apache will depend on how you setup your apache and also about how you trust your users, bad people would be able to exploit your system with malicious scripts.

If apache is set up and secured properly, "malicous scripts" shouldn't be an issue. Do you have any specifics that you're thinking about?

Here is the link I was looking at:

http://wiki.apache.org/httpd/DistrosDefaultLayout So the question was supposed to be what is the difference between 'ServerRoot' and 'DocumentRoot"?

Seems I was up too long comparing distro layouts because I was trying to follow a centos virtual hosting tutorial; here:
http://www.xenocafe.com/tutorials/li...rver/index.php

What I meant by this question ; I want to create a separate partition for /www . Most of tutorials refer to having /var/www and I am asking if that is the equivalent to /srv/www?

FYI previous questions answered by Hangdog42 provided satisfactory clarity and instruction, just the use of /srv/www instead of /var/www since slackware has a ready /srv directory that's not reference in tutorials? Thanks and sorry for the mix up.

So you're clear now that ServerRoot is where the Apache program lives and DocumentRoot is where the pages live?
Just to be clear, the /srv/www and /var/www are merely common conventions, not hard and fast rules and there is no reason why you can't do things in a different way. In fact, if you look in /srv in Slackware, you'll see that http and www are softlinks pointing to /var/www and /var/http. Having your DocumentRoot on a separate partition is frequently a very good idea. In fact, I have my DocumentRoot pointing to /home/www because my /home is on a its own partition. The reality is that you can put your pages absolutely anywhere you would like them to be and then set DocumentRoot to point to that directory.

Understand now!
 

Yes Hangdog42 I did notice in slackware /srv has /srv/http and /srv/www this is why I wondered why tutorials weren't describing it's use? Understanding that /srv, /srv/http, /srv/www are softlinks(meaning just a link to /var/www and /var/http, gave rise to my questioning whether I could put web pages in a directory that was just a link to /var/www and /var/http. I understand now the Key is which I set as DocumentRoot in httpd.conf and ServerRoot is always ./usr because that is where all programs live in slackware.

So in a virtual hosting srv/www/www.slackez.net could be its' DocumentRoot and srv/www/www.udot.net wld be its DocumentRoot? Wouldn't I make httpd.conf DocumentRoot the same as Virtual Host's DocumentRoot?
Why would I make system DocumentRoot different than the virtual host's?

Another terminology distinction I am not clear on HTTP vs. WWW?
My 2wire gateway router's firewall settings for HTTPS Server provides as default port 443 and WWW Server default port is 80 (or the other way around)? In reading I understand port assignments in linux refer to 443 as secure and 80 as not using SSL, I understand this.

When I read HTTP to me is the equivalent of Apache server, while i understand http literally means hyper text protocol. Is there some other technical distinction I need to understand?

Once i get the web server working First priority is getting 'slackware for beginners forum' running. Do you use Dupral or lvm? Do you have mysql on the same box with your web server? lol Thanks Hangdog

Not quite. If you have the virtual domains www.slackez.net and www.udot.net, each of them could have their own DocumentRoot. For example, the files for slackez.net could live in /var/www/htdocs/slackez while the files for udot.net could live in /home/nightsky/httpfiles. For each of the virtual domains there would be a DocumentRoot statement pointing to the appropriate directory.

It all depends upon how you want to run your server. For example, if you have a number of users having their sites hosted from the same machine, you really don't want them being able to see or modify each others files. In this case each user could have their own virtual domain and the DocumentRoot for each would be different. Pretty much the whole idea behind virtual hosts is that it allows a single instance of Apache to serve up multiple sites, so you need to be able to have virtual hosts override the httpd.conf settings because those settings may not make sense for every site that instance of Apache is serving.
I think of HTTP as the language that browsers and servers speak and WWW simply as the great mass of websites out there. Your router is right in that the standard ports for HTTPS is 443 and for HTTP is 80. You certainly don't have to follow these standards, but if you do have Apache running on other ports, it can make it very difficult for people to find your site.

I think you probably need to make a bit more of a distinction between HTTP and Apache. There are actually many web servers out there besides Apache (like lighttpd or IIS) and the common denominator is that they all understand HTTP. Again, HTTP is the "language" that they speak.

I've messed with Dupral a little bit, but I've never looked at lvm. I've used Joomla quite a bit and like it. The site in my sig is running Joomla. I do have mysql on the same box, but it can't be accessed from outside of my LAN. Which of course brings up an important point if you're going to be running a server: Security.

Apache is pretty secure out of the box, but you might consider looking at something like mod_security to lock it down more. You also should think about detecting intrusions. I don't know if you want to go for a full-fledged IDS like Snort or a more simple system file monitor like Aide. The point is that if you have a web server attached to the internet, it WILL be attacked and people are looking for vulnerabilities in programs like Drupal or Joomla. Basically you want to be able to discover if an attack has happened and have a recovery plan in case you are cracked. You also want to have a process for keeping your server fully patched. Slackware makes that really pretty easy with slackpkg, but you do have to make sure you run it regularly and/or read the Slackware changelogs.

Great job posts Hangdog42, I certainly will not put any services online without appropriate permissions, iptables, limit of ip and port forwarding and other forms of security I've been reading about. Here is a link defining http & https:
http://www.biztechmagazine.com/article.asp?item_id=277
Here is a great basic video tut I really enjoyed "Set up a secure virtual host in Apache"
http://video.google.com/videoplay?do...29322494607612