Best practices securing HTTP/HTTPS (continued)...


Add appropriate Directory blocks to allow access only in those areas you wish. 

<Directory /u/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/lib/apache/htdocs>
Order Deny,Allow
Allow from all
</Directory>

Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it  Also be wary of playing games with the UserDir directive; setting it to something like "./" would have the same effect, for root, as the first example above. 

If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

UserDir disabled root