How to Disable or Override Default DocumentRoot in Apache for Virtual Hosts


2 views

When configuring Apache for multiple virtual hosts, the default DocumentRoot specified in httpd.conf can become a security concern. This default setting serves as a fallback when no matching virtual host is found, potentially exposing unintended directories.

The proper way to handle this is through virtual host configuration. Apache will automatically ignore the main server's DocumentRoot when virtual hosts are properly set up with ServerName or ServerAlias directives.



    ServerName example.com
    DocumentRoot /var/www/example.com
    # Other directives...

For added security, you can explicitly disable the default DocumentRoot by:

  1. Commenting out the DocumentRoot directive in httpd.conf
  2. Setting a restrictive default virtual host

# In httpd.conf
# DocumentRoot "/var/www/html"


    DocumentRoot /dev/null
    
        Require all denied

Another clean approach is to redirect all unmatched requests to your primary domain:



    ServerName catch-all
    Redirect permanent / https://yourprimarydomain.com/

After making changes:


sudo apachectl configtest
sudo systemctl restart httpd

Test by accessing your server via IP address - it should either show a 403 error or redirect as configured.

This configuration prevents:

  • Accidental exposure of files through IP-based access
  • Directory traversal vulnerabilities
  • Information leakage about server structure

When configuring Apache for multiple virtual hosts, the default DocumentRoot defined in httpd.conf can become a security concern. Any request that doesn't match your virtual hosts will serve files from this directory, potentially exposing sensitive information.

Here's how to properly disable the default root while maintaining virtual hosts:


# In your main httpd.conf
DocumentRoot "/var/www/nonexistent"

    Require all denied


# Virtual host example

    ServerName example.com
    DocumentRoot "/var/www/example.com"
    
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted

For better user experience, you might want to redirect unmatched requests:



    Redirect 404 /

When implementing this solution:

  • Ensure the nonexistent directory isn't actually created
  • Test with invalid host headers to verify the configuration
  • Consider adding custom 404 pages for better UX

After making changes:


sudo apachectl configtest
sudo systemctl restart httpd
curl -I -H "Host: invalid.example" http://localhost