I suppose this is more of a house keeping question, but here it goes.
If I create a backup file of my index.html called index.html.bak, is it possible that someone from the outside using http on my apache2 server is able to list the contents of my /var/www directory? I currently know no method of doing this, but this could be due to my lack of experience in this area. Should I store files that need not to be in view somewhere else?
Currently, the only feasible way I can think that someone might discover the file is if there was an explicit link somewhere pointing to the file. How visible is my web directory?
If you specify
Options -Indexesfor theDirectoryin question, then Apache will not generate a directory listing. However, if someone guesses the filename they could still access it if the operating system allows the web server to access the file.To directly answer your questions - you can either keep such files somewhere else or you can configure apache to deny access to them - denying access to *.bak is relatively simple.
Apache will, unless configured not to do so (as mentioned by MH above), generate and display a directory listing for any directory that does not contain an index file - defined by the DirectoryIndex directive, but typically index.html, index.htm, index.php, and similar.
On a more general note:
You may want to consider using a revision control system such as SVN or git (or even RCS) to keep old versions AND a change history of your web pages (including the ability to see what changed and when and, more importantly, the ability to revert to a previous version)
Both git and svn need a repository set up somewhere else. RCS is fairly primitive and basic but doesn't require any setup, it keeps the revision history in either the same directory or in a ./RCS subdirectory if one exists. One minor annoyance with RCS is that when you check-in a file, it changes the permissions to read-only, so you have to check it out again before you can edit it again (or use
ci -lto check-in a file and immediately check it out).IMO git is probably overkill for this job, SVN is close to ideal in terms of complexity vs capability for managing the revision history of a set of hand-edited HTML pages, and RCS is archaic but still useful. With RCS you can only edit files directly within /var/www which means the changes are "live" as soon as you save the file. With svn or git you can check out a local copy in, e.g., your home directory on your desktop machine, edit the files, check-in the changes, and then check-out the updates into /var/www on the server when it's finished. You can also check-out the changes to a staging server first for testing, before checking them out on the production server.
You can then deny access to the .svn/, .git/, RCS/ etc subdirectories with apache - e.g. see https://stackoverflow.com/questions/398008/deny-access-to-svn-folders-on-apache
Of course, using revision-control effectively will take a little discipline. you'll have to get into the habit of checking in your changes whenever you make them - it's worth the effort.
If you have directory listing enabled then that file is certainly visible. Even if directory listing is not enabled, it isn't recommended to save a file that you don't want someone to see in /var/www because it is made for public documents.
I don't see any point in keeping the backup file in
/var/www.Backups are made to quickly fix things when you screw them up. I'd suggest you to make a new backup directory, in some core drive (unaccessible to the outer world), & store your backups there.