11

I see that Apache and Nginx both use var/www as their web root - but that directory is not covered in the Filesystem Hierarchy Standard. I also see some servers with the web root in the /home/username/www directory. So where does the web root go? Or rather, where should it go most of the time for the common web server?

Xeoncross
  • 4,269
  • 12
  • 42
  • 55
  • I've answered two similar questions. See: http://serverfault.com/questions/127472/whats-the-difference-between-www-public-html-folder/127474#127474 and http://serverfault.com/questions/135711/what-is-the-proper-way-to-set-up-the-apache-document-root-in-terms-of-privileges/135717#135717 – Warner May 23 '10 at 19:22

3 Answers3

16

Distros use /var/www because it is for "transient and temporary files". The files installed there are just for checking if the server is working. After that, you can safely delete the folder.

But /var/www is not where you are supposed to install your own web source files. There is an argument to be made for using /usr/local/<app> if the web site files are static, but the most appropriate place is in /srv/<app> or /srv/www/<app>. Notably, your OS should never write to /usr/local or /srv, so they are both safe places for your own shared files. But /srv is for "data for services provided by this system", which is exactly what web source code is.

rich remer
  • 449
  • 4
  • 11
  • 1
    Now that you've bumped a six year old, _answered_, question... you might as well put in the effort to link to some references to back your posit -- LFH, `man hier`, etc. – jscott May 19 '16 at 00:29
  • 1
    I could, but the reference I would link to is already in the original question, so that seems silly. – rich remer May 19 '16 at 17:24
  • what's "srv"? there's no such a folder. – Oskar K. Jun 08 '16 at 08:48
  • As described above and in the Filesystem Hierarchy Standard link, `/srv` is the standard directory on Unix-like systems for storing files used by system services. If you don't have a directory called `/srv`. you can create one, but your system may have some other, OS-specific place for this. `/srv` is present on RedHat and Debian based systems, which is like 99% of Linuxes. – rich remer Jun 08 '16 at 12:59
4

Many SysAdmins use non-standard paths in order to avoid an easy-to-guess path in case of attacks.

If you are building an Internet web server I suggest considering a non-standard path.

Community
  • 1
lrosa
  • 1,657
  • 14
  • 15
  • 1
    hmmm.. good point. I wonder how much help that would actually be in an attack. Kind of like switching the SSH port from 22. Should I create a root level nonstandard path like `/www-data` or just add to an existing path like `/srv/www-data/`? – Xeoncross May 23 '10 at 19:01
  • Putting SSH on a different port does not save you from a nmap portscan: in a few minutes nmap can guess the ssh port. Using non-standard path such as /MyData/WebSites/sitename01, /MyData/WebSites/sitename02 and so on can save you from various kind of vulnerability attacks that try to run or read some files using a relative path. If you take a look at a apache logfile, you can see some attacks using relative paths such as ../../../etc/passwd. That said, there is no silver bullet in security. – lrosa May 23 '10 at 19:05
  • This is just security by obscurity. If somebody has enough access to your server to be able to read, or worse, _modify_ arbitrary files on your server, the web root is the thing you should worry _least_ about. – Radvylf Programs Jun 07 '21 at 19:04
2

by default most of Linux Flavors use

var/www/html
user889030
  • 181
  • 1
  • 8