OT: Can Apache read files outside of DOCROOT?

This may be the wrong place to ask this question, but I believe people on this forum are admins who are really in the trenches and know things from actual experience. If no one knows, I’ll take it to Expert’s Exchange…

Scenario: We have an OSX server running apache and several domains are enabled but only accessible from a web browser inside the LAN and behind the corporate firewall. It’s for in house use as we can deliver content to users on the LAN without them necessarily having the server mounted on their desktops, a common scenario…

Now, the content management on the server is such that archives of sound files, images (332,000 at this point) and other documents live in separate folders outside the WWW folder. The directory layout is like this… where "Enterprise" is a volume on the server with content accessible across the LAN if you have it mounted on your desktop:

…/www.internal-domain.org # enable as internal domain
…/public_html # DOCROOT for this domain

…/Digital Photos # a gigantic archive of graphic resources
…/Sound Projects # another huge archive of sound files
…/Video Resources # archive of video

Now… I would like to be able to pull files from the latter three directories thru web apps running inside the www.internal-domain.org. CGI’s therein could be built with a web interface to look at and serve up files outside docroot

Is there a way to do this? Obviously this is a permissions issue. We are mainly looking to serve .jpg’s,.xml files,.mov,.mp3’s that are not inside “public_html” . Would there be some way, using symbolic links or something like that where Apache would follow outside of DOCROOT? I’m really only needing read only access at this point.<br><br>Post edited by: Katir, at: 2009/03/11 18:28


What you’re after is actually pretty straight forward.

I mean, in short, it should already be possible, it just comes down to filesystem permissions.

The slightly longer answer is that Apache simply runs as a user… on Linux, that user might be “apache” or “www-data”. I’m not sure what that user is on OSX, but it’s the same idea.

So long as the user Apache is running as has permission to access those directories, it should be no problem to access them from within any of your scripts.

And in fact, that’s something folks will sometimes do to better secure certain files – putting them outside of the DocumentRoot makes it harder for a random attacker to get at them, even if they want their web apps to be able to get to them.

If you don’t want to access them via scripts, but you want web users to be accessing those directories directly, a symbolic link would work, but setting up an alias in Apache would also work (search for “Alias” in your Apache conf for examples).