I am trying to tighten up my apache security a bit. Looking at the "Security Tips" page in the apache documentation doesn't help a *lot* because it's mostly talking about a multi-user system where you are trying to make apache secure against the local users.

My situation (like a lot of other Linux users I suspect) is that I am the only user of the system so, apart from my stupidity, local users are not a serious risk. The only local user knows the root password anyway! :-)

What I'm after is making it so that the outside world (my router allows access for http requests) can only see the web pages that I want them to see. I also want it to be arranged so that I'm unlikely to mess up this security inadvertently.

The one thing that the apache Security Tips suggests that does seem relevant to my situation is to do:-

<Directory /> Order Deny,Allow Deny from all </Directory>

instead of the default:-

<Directory /> Options FollowSymLinks AllowOverride None </Directory>

Which means that if I point a symlink somewhere stupid by mistake the outside world might access almost anything.

Have I understood the above right?

It certainly seems to me that what I should do is set things up so that apache can get at nothing and then open up specific directories.

One other thing I want is to allow local access only to most of my web pages which is easy enough with something like:-

<Directory /var/www/html/maxine> AllowOverride None Order Deny,Allow Deny from all Allow from 192.168.1 193.128.168.194 </Directory>

and I'll open up (say) /var/www/html/public to allow 'all' access.

Is it worth being this careful/paranoid? Is apache's security good enough for the above to be effective?