Does Apache2 support virtual hosting of subdomains?

Question

Currently my Apache server is set up like so

<VirtualHost *:80>
 ServerName www.example.com
 ServerAlias example.com
 DocumentRoot /var/www
</VirtualHost>

The problem is that everything below /var/www is accessible from everywhere else. If I have a web page /var/www/john/bio.html, then that web page could borrow scripts/pictures from var/www/jane/

I want to set up my Apache server like so

<VirtualHost *:80>
 ServerName www.example.com
 ServerAlias example.com
 DocumentRoot /var/www
</VirtualHost>

<VirtualHost *:80>
 ServerName www.john.example.com
 ServerAlias john.example.com
 DocumentRoot /var/www/john
</VirtualHost>

<VirtualHost *:80>
 ServerName www.jane.example.com
 ServerAlias jane.example.com
 DocumentRoot /var/www/jane
</VirtualHost>

So all the files for user john go in the /var/www/john/ folder, and likewise for user jane. Then, with symbolic links turned off (by default), and access only provided from /var/www/user/ downwards (again by default), I don't have to worry about john's web page including scripts/images from jane's web page.

Answer 1

Using local measures only (/etc/hosts instead of a DNS) I found that this can indeed work.

First, change your /etc/hosts file to have a mapping of your desired website name(s) (www.example.com), and target IP address (192.168.1.1). I used my local IP address.

 IPAddress               Hostname                   Alias
-----------     --------------------------    ------------------
192.168.1.1     www.example.com               example.com 
192.168.1.1     www.john.example.com          john.example.com
192.168.1.1     www.jane.example.com          jane.example.com

Your web browser will check your /etc/hosts file before looking at the world wide web.

Next go through all your Apache config files (httpd.conf, apache2.conf, ports.conf, conf.d/*) and make sure in exactly one file the command NameVirtualHost *:80 is issued (it doesn't have to be port :80 but if it is issued more than once, you will get this problem). Mine was issued in /etc/apache2/ports.conf, so put yours there if you have to. Finally, update your Apache configuration file (mine was at /etc/apache2/sites-available/default) like so.

<VirtualHost *:80>
    ServerName www.example.com
    ServerAlias example.com
    DocumentRoot /var/www
</VirtualHost>

<VirtualHost *:80>
    ServerName www.john.example.com
    ServerAlias john.example.com
    DocumentRoot /var/www/john
</VirtualHost>

<VirtualHost *:80>
    ServerName www.jane.example.com
    ServerAlias jane.example.com
    DocumentRoot /var/www/jane
</VirtualHost>

As a final step, you may need to add the websites to Apache by issuing the below commands (this step is not necessary, if you give all websites into sites-available/default and not into separate files for individual websites).

# a2ensite www.example.com
# a2ensite www.john.example.com
# a2ensite www.jane.example.com

After doing this, john.example.com will go to /var/www/john. That directory will then act as the root directory, and john will no longer have access to www, and, therefore, have no access to /var/www/jane.

Likewise, after doing this, jane.example.com will go to /var/www/jane. That directory will then act as the root directory, and jane will no longer have access to www, and, therefore, have no access to /var/www/john.

With symbolic links turned off --by default-- neither directories will be able to access each other