I am in the process to migrate to a new web server and I would like to have a clean and safe file architecture for apache and my web application.
The server will serve one single php/mysql application. This application receive files from FTP and webservices and generate logs files.
The server OS is CentOS 5.4.
The default Apache document root is /var/www/html
.
Should I put my web application directory under :
/var/www/html/myWebApp
?/www/myWebApp
?/home/www/myWebApp
?- Somewhere else?
The application directory should be owned by the root
user or apache
user or an other user?
Thanks for your help.
Assuming you have SELinux enabled, not all of those options will work due to SELinux denying access to non-standard folders by the httpd process.
IIRC, the preferred method for manually adding web applications on CentOS (e.g. a mediawiki install) is to install them to
/var/www/<myappname>
and create an Alias in the /etc/httpd/conf/httpd.conf file that points to your app (I usually pattern mine to be similar to the existing alias for the/var/www/icons
folder).Typical file ownership for anything under
/var/www
on CentOS isroot
.It's really up to you, I would personally opt for CentOS's default DocumentRoot in
/var/www/html/myWebApp
as it maintains a clean, extensible and obvious structure for future maintainers etc.You can own the application files yourself, however they should be readable (but not owned - unless the application has to overwrite/edit them) by the user and group that apache is configured to run as. This is usually
nobody:nobody
- and that user should be unprivileged (i.e. only able to read the files in your document root, nothing more).More info here.
edit: For SVN checkout, you can leave the files owned by the SVN user (
SVN
orroot
I assume - as long as it's different from the user apache is running as) and permissions should be644 (-rw-r--r--)
- I believe this is what SVN will use by default, if not chmod the directory in the post-commit hook....and to determine if you have an SELinux issue, try disabling it and retesting. If that works, gather the logs and modify the HTTPD policy (possibly just enabling
httpd_disable_trans
). Or use Ophidian's method :)(this should be a comment for Ophidian but it won't fit in the space allowed for a comment so I am posting it as a reply)
You can do it under selinux by chcon'ing the dirs/files you want to use with the appropriate contexts/type.
To find out the correct context the easiest method is to examine an already correctly labelled dir. E.g.
[root@somehost ~]# ls -ldZ /var/www/html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t /var/www/html
Then set the correct se linux type on your new content dir. E.g. if you want to use /home/myapp as your doc root: chcon -t httpd_sys_content_t /home/myapp
chcon only persists until the next filesystem relabel. Don't forget to use semanage fcontext if you do so that the new contexts will persist through file system relabels!
semanage fcontext -at httpd_sys_content_t /home/myapp