Multiple virtual hosts - How to set up separate directories?

Question

I bought a 2nd domain and I'm trying to set up a 2nd and separate site on the same ubuntu server.

How do I set up the folders and config files to allow my sites to have separate source files which can't access each other?

My apache2 conf file:

/etc/apache2/apache2.conf:
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups On
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel notice
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
<Directory /var/www/public>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

My ports conf file:

/etc/apache2/ports.conf:
Listen 80
<IfModule ssl_module>
    Listen 443
</IfModule>
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

My conf file for site 1 (currently working with SSL):

/etc/apache2/sites-enabled/site1.com.conf:
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName site1.com
        DocumentRoot /var/www/public
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/site1.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/site1.com/privkey.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    </VirtualHost>
</IfModule>

My conf for site 2 (I want to set it up as HTTP for now, I'll set up SSL after confirming that it's working):

/etc/apache2/sites-enabled/site2.com.conf:
<VirtualHost *:80>
    ServerName site2.com
    ServerAlias www.site2.com
    DocumentRoot /var/www/site2
</VirtualHost>

I put the 2nd site's config file in /etc/apache2/sites-available and ran a2ensite site2.com.conf, and then ran systemctl reload apache2.

How do I set it up so that each site only has access to its own directory?

If I remove these lines from apache2.conf:

<Directory /var/www/public>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Then loading site1.com shows Error 403 Forbidden, even though site1.com.conf has this line:

DocumentRoot /var/www/public

I thought of putting a Directory tag in site1.com.conf, but there is already one:

<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

How do I set it up so that both sites can be accessed on their own domain, while neither site can be accessed from a subdirectory of the other?

EDIT:

My question is really about the relationship between these 3 things:

1. apache2.conf's "Directory"
2. site 1's "DocumentRoot"
3. site 2's "DocumentRoot"

And how I should set up my directory structure.

Currently they are set like this:

1. /var/www/public
2. /var/www/public
3. /var/www/site2

Right now if I go to site 2 it says 403 forbidden, because site 2's DocumentRoot is outside the main config file's Directory folder. And I don't want to set site 2's DocumentRoot to /var/www/public/site2, because then that will be inside site 1's directory.

So is it necessary to use this configuration?:

1. /var/www/public
2. /var/www/public/site1
3. /var/www/public/site2

And what's the difference between that and something like this:

1. /var/www
2. /var/www/site1
3. /var/www/site2

If there are server-only files in /var/www, can site 1 or site 2 ever access them insecurely (client browsing to them)?

My question is about how exactly to set up the directory structure, and I don't understand the difference between apache2.conf's "Directory" and sites-enabled conf's "DocumentRoot".

Answer 1

Here's a little tour of the Apache configuration to start:

<Directory /some/path/to/somewhere>

<Directory ...> is an XML-style tag that starts a section of the configuration. It ends with </Directory>. In between those two tags, everything applies to the directory shown in the opening tag. Apache calls these "sections".

In your example, you have a few <Directory> sections:

• <Directory /> - This section covers absolutely everything in your filesystem unless overridden in a more specific tag. The most important item here is Require all denied. This prevents Apache from accessing everything on your hard drive.

• <Directory /var/www/public> - This section covers the directory in which you have your site. The important line here is Require all granted which allows Apache to access the files in that directory.

---

DocumentRoot /some/path/to/somewhere

DocumentRoot tells Apache where the files for the website are located. Usually you will have it inside a <VirtualHost> section, since that is where you want to define your website's settings.

In your example, you have a few DocumentRoot directives:

• DocumentRoot /var/www/public - this is inside the <VirtualHost> for your site1.com. That means that when a user goes to site1.com, Apache should look for content in /var/www/public.

• DocumentRoot /var/www/site2 - this is inside the <VirtualHost> for your site2.com. That means that when a user goes to site2.com, Apache should look for content in /var/www/site2.

---

It is important to remember these points:

1. There is no requirement that <Directory> sections be related to <VirtualHost> sections, and <Directory> has absolutely nothing to do with DocumentRoot.
2. The DocumentRoot is the top level of a website. A user who goes to site1.com will only be able to see files in /var/www/public and a user who goes to site2.com will only see files in /var/www/site2 (unless you have some kind of security issue in software that you are hosting, but that's a different discussion). Neither site will be able to see files in /var/www since that path is "above" the DocumentRoot - that's what "Root" means.

However, even though there is no connection between DocumentRoot and Directory, the fact is that you still need a <Directory> section for each of your sites. (You could also use a single one for all sites, but for now we'll keep it simple and more secure.) The reason for this is the <Directory /> section mentioned above which blocks access to everywhere by default and forces you to explicitly grant access to other directories.

---

Now that we've explained the relationship between these two configuration items, let's see what you need for your setup:

You have two sites, site1.com and site2.com. You currently have them in /var/www/public and /var/www/site2 respectively, as set by the DocumentRoot directive in each <VirtualHost>.

Therefore, in order to permit access to those directories, you also should have two <Directory> sections, one for each site. For your purposes, both of their contents can be identical to the current <Directory /var/www/public> section that you already have:

<Directory /var/www/public>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory /var/www/site2>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Separate from those, you need the DocumentRoot directives as you originally wrote them.

---

Personally, I would also rename /var/www/public to /var/www/site1 to match the site name. It's much easier to manage if you keep all names the same.