2

I am working on a project where http://www.mywebsite.com/index.html is in /var/www/public, which is the document root (according to /etc/apache2/sites-available/000-default.conf). I have javascript files in /var/www/js that I would like to reference in my /var/www/public/index.html file. Here is what I've tried so far

<script src="/js/js_file.js"></script>
-
<script src="js/js_file.js"></script>
-
<script src="../js/js_file.js"></script>
-
<script src="../../js/js_file.js"></script>

None of these work.

How do I reference javascript files outside of the document root directory?

aCarella
  • 2,369
  • 11
  • 52
  • 85
  • 1
    You could do it in the same way that a hacker would arbitrarily access your filesystem if this was possible. – spender Oct 20 '15 at 00:14
  • 2
    Allowing client access to files outside of your document root is a significant security risk - which is why webserver software prevents it by default. – adelphus Oct 20 '15 at 00:15
  • I guess it begs another question, which seems like a misconception on my part, then @adelphus. Should you put files outside of your document root? I thought placing them there would create more security for these files. Is that wrong? – aCarella Oct 20 '15 at 00:18
  • where have you heard its better security wise to do that? It still gets sent to the browser regardless – Daemedeor Oct 20 '15 at 00:20
  • 1
    This is just an assumption based off of certain things I read, as well as looking at articles with directory structures for Laravel. It seems that at least database credentials are placed outside of the document root in good practice, and I didn't think it was bad to do @Daemedeor. – aCarella Oct 20 '15 at 00:23
  • @Daemedeor that is an oversimplification of the idea (IMO). A common use case for putting files outside the doc root might be raw templates which are only output to the browser after processing. Such templates often contain comments and stuff that you wouldn't want an outsider to see, but in their post-processed form, those things are no longer present. – Dan Lowe Oct 20 '15 at 00:23
  • 1
    @aCarella yeah but we're talking about js not php – Daemedeor Oct 20 '15 at 00:24
  • 1
    The idea that placing files outside docroot is sound, it's just that it's something useful for running the server-side code, not the client-side code. – Dan Lowe Oct 20 '15 at 00:24
  • @DanLowe oh that kinda... makes sense.... in some ways but not in the case discussed here for js – Daemedeor Oct 20 '15 at 00:24
  • 1
    Files outside of the document root cannot be accessed directly by clients - that's where the security lies. But if you need them to be accessed by clients, then you are removing that security. You can configure Apache to do this, but it's easier just to place client-accessible files within the document root. – adelphus Oct 20 '15 at 00:25
  • That's actually good to know, @DanLowe and adelphus. I'm trying to learn AngularJS, and figured that I would place my js outside of the document root because I assumed that it was something I'd eventually start doing and didn't know how to do it yet. Thanks for enlightening. – aCarella Oct 20 '15 at 00:27
  • If this question is specific to an Apache web server (which it appears to perhaps be), then I'd suggest you mention that in the question and tag the question as such. – jfriend00 Oct 20 '15 at 00:49

2 Answers2

1

You could achieve this by adding a rewrite rule to Apache config. See the apache url rewrite guide. The idea is to map an internal directory to a url string that the user has entered.

Something like this:

RewriteCond   %{HTTP_HOST}  \.mywebsite\.com$
RewriteRule  ^/js/(.*)\.js$ var/www/js/$1

Would allow public users to reach var/www/js/test.js via the public url mywebsite.com/js/test.js.

David Ball
  • 26
  • 4
0

You could add FollowSymLinks (See this thread), and symlink your js folder inside the docroot (maybe at /var/www/public/js).

Effectively, you're aliasing the js so it's not outside of the docroot at all.

Community
  • 1
  • 1
Kevin Ard
  • 594
  • 4
  • 12
  • 1
    *so it's not outside of the docroot at all* - that is a bad way of looking at it. Allowing symlinks on a webserver completely wipes out the benefits of docroot limiting because you can symlink to anywhere on your filesystem - get it wrong and your system is left in an extremely vulnerable state. – adelphus Oct 20 '15 at 11:03
  • Very good point! Considering that OP is asking this question to begin with, security should certainly be stressed in this case. – Kevin Ard Oct 20 '15 at 15:10