How visible is my /var/www to the outside world?

Chad Harrison asked:

I suppose this is more of a house keeping question, but here it goes.

If I create a backup file of my index.html called index.html.bak, is it possible that someone from the outside using http on my apache2 server is able to list the contents of my /var/www directory? I currently know no method of doing this, but this could be due to my lack of experience in this area. Should I store files that need not to be in view somewhere else?

Currently, the only feasible way I can think that someone might discover the file is if there was an explicit link somewhere pointing to the file. How visible is my web directory?

My answer:

If you specify Options -Indexes for the Directory in question, then Apache will not generate a directory listing. However, if someone guesses the filename they could still access it if the operating system allows the web server to access the file.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.