The adjacent diagram depicts some of the relationships that exist between various areas in multiple web sites. Although relationships may exist between multiple domains, or multiple sites, these are not shown.
Note: It may help to envision the various boundaries if each WWW Site is considered as an individual domain name such as child-abuse.com or ican-ncfr.org.

A single internet domain name may serve content on multiple ports. This is especially true if secure areas exist which must protect data via encryption while it is enroute. In this case, a virtual server appears on port 80, the default, and another with the same name appears on port 443, the port used for SSL traffic. These are two, entirely different web sites - or at least they should be configured this way so that links and inlined images from the normal site do not appear in the SSL encrypted pages. This condition would generate warnings to the user, giving the impression that the site is not truly secure, after all.

Each virtual host may be further subdivided into areas which require user authentication before access may be granted. Sensitive material which must be protected in this manner should not be mixed with insecure material. Otherwise, unintentional paths may be created to the secure data which allow unauthorized access.

In order to prevent some of these problems, it can be seen that duplication of some content may be required. Although symbolic links (aliases, or shortcuts) may be used to reduce the duplication, this may confuse not only site maintainers, but the web server or underlying server operating system. When a single file or directory appears in multiple locations, it also becomes more difficult to tune permissions since all methods of access must be taken into account.

Executible content such as CGI scripts, SSI-enabled HTML pages, or pages containing PHP code further complicates the issues of ownership and permissions. Much more strict control must be exercised over these types of files or they may themselves provide access to other, unrelated areas on the web site. Quite often, these files must belong to an account with elevated priveleges, such as root, so the same care applied to system applications must be exercised when assigning ownership and permissions to these files and directories.

Finally, interactions between global and local configurations may produce unexpected results if careful attention is not paid to directory layout. For example, suppose a file exists in the global DocumentRoot directory that has the same name as a file in a virtual host's root directory. Let's say that the file's name is top.html. One may find that the wrong file is served by the seemingly unambiguous URL, /top.html because the web server is forced to second-guess the intentions of the system administrator.

Access Control Methods

Various factors influence the final location, ownership, and permissions that are assigned to files and directories throughout the file system. These include, but may not be limited to:

1. System owner
2. System group
3. WWW server global configuration
4. WWW virtual host configuration
5. WWW directory or location configuration
6. WWW domain name or IP address restrictions
7. WWW authentication restrictions
8. Executible, CGI, or scripting content
9. SSL content

piece o' cake, eh?