In order to improve the security of websites, we transition to a new setup for our webservers. Until recently we had just one apache httpd running on a webserver. Different websites were served through the apache virtualhosts mechanism. The main advantage of running just one httpd is that all websites share the pool of httpd processes. The main disadvantages are inter-website security and shared log files.
The new setup that is chosen on the webserver athos, doesn't have these disadvantages. Instead of virtual hosts files that are read by just one apache server, we now use a separate apache http for each website. This means that the files in the web-docs directory no longer have to be readable for every user on the webserver. Furthermore every website now gets its own IP address, which means that every website needing https can get its own certificate.
The new directory structure looks like (we use website as an example name):
top directory which contains all files w.r.t. this website
The document root for the website. The standard situation for the web-docs directory is that it is readable and writable by the unix group which only contains the users maintaining the website. Next to these users, only the user that runs the website-specific httpd can only read (not write) the files.
The document root for a test version of the website, e.g. to test a new version of the website before it goes live. This test-version is available via port 8080, meaning use as URL: http://www.website.science.ru.nl:8080/ and port 4443 for https, meaning use as URL: http://www.website.science.ru.nl:4443/ (note that the real site uses port 80 for http and port 443 for https). Readable and writable by the same users that can read and/or write the web-docs directory.
The directory containing the log-files of the httpd for this website, the most important ones are access_log and error_log. Note that we strongly advise that the website owners themselves check the errors in error_log and take action to remedy errors.
Log-directory for the test-version of the website
Preferably the only directory in which the httpd for this website can write, the standard setup has a 'sessions' subdirectory that is used by php as a session_save_path directory. If the website needs a writable directory, please make in in this directory.
The cgi-bin directory for the website.
And of course a cgi-bin directory for the test-version.
Avoid the usage of absolute paths in web pages, this makes it much more troublesome to move the website, because in that case the web pages need to be changed!