Where is "var/www/html" / Apache hardening


I'm running Apache 2.4.18 on Ubuntu 16.04.03 LTS. I'm trying to further secure my web server, however, my problem is I can't find "var/www/html" in my conf. file, only "var/www/>"

Is "/html" deprecated in newer Apache versions or am I doing something wrong? I want to prevent clickjacking, XSS, and enable secure cookies primarily

Following this guide from a couple years ago: https://www.maketecheasier.com/securing … -ubuntu-2/">https://www.maketecheasier.com/securing-apache-ubuntu-2/

If relevant, Wordpress is my web frontend.


3 Replies

Stuck with the same issue. Following

I am currently running Apache 2.4.27 on Fedora 27. the "/var/www/html" section is located in the config file under "/etc/httpd/conf/httpd.conf" for debian based distros the config file should be located "/etc/apache2/apache2.conf" I extracted the apache2.deb file and after checking the config file there is no "" section. You can add that section if you like. I have posted the section from my apache config that you can add to your "/etc/apache2/apache2.conf"

 <directory "="" var="" www="" html"="">#
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    Options Indexes FollowSymLinks

    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    AllowOverride None

    # Controls who can get stuff from this server.
    Require all granted</directory> 

On Ubuntu 16 the correct default location for HTML content is indeed /var/www/html.

[email protected]:/etc/apache2# rgrep '\/var\/www'
sites-available/000-default.conf:    DocumentRoot /var/www/html
sites-available/default-ssl.conf:        DocumentRoot /var/www/html
apache2.conf:# not allow access to the root filesystem outside of /usr/share and /var/www.
apache2.conf: <directory var="" www="">apache2.conf:</directory>

If the above command does not produce a similar result you are using either heavily modified or outdated aoache configuration.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct