type of guy that sets up first and what ever I "need to know" or if something doesn't work, I read about it afterwards. If I become really interested in something...then I'll read up on it.
That approach doesn't work for security issues on your live server. I've no doubt you'll be interested - nay, *fascinated*! - when someone cracks your system and wipes all your disks. But by then it's too late to start reading up.
Basically, you all can't tell me that you can't recommend certain "critical" areas that I should examine first and that the only way to get setup is by reading the whole manual. ???? I don't need to know about load balancing or other things that a "home user" would care to know about to get up and running.
The word everyone screamed at you was "security". You don't need to read the whole manual, you need to read up on the security issues. Your approach to learning as you go will work fine for getting the thing running efficiently, but not for security. You *have* to read that manual!
I just want to be up and running and get some "advice" about critical areas of security.
All areas of security are critical. The most important bit is the bit you ignore or don't understand.
As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?
Other way round - you should be asking how you close off your other directories, and only open the one(s) you want. See, you don't yet know what questions to ask, so how can you ever be sure you've asked all the right ones until you have the background? And the background comes from TFM.
still a pain. If I were to change the path from /srv/www to /home/tom/public_html would this cause any security issues?
Yes.
Again, I know in order for me to get all the information anyone would ever want to know about Apache, I should read the manual....but I just want to test and slowly increase my knowledge. I just want to play around right now and I'm sure there are simple tips that can be given to an Apache newbie. (I think).
If you want to test and play, install apache on one of your internal machines, away from untrusted users. That's simple - it'll work out of the box. You should have it running inside 5 minutes. Increase your knowledge from there by all means. Just don't open the thing to the outside until you have read up on the security implications, and you've understood how they apply to you. Not anyone else, or an example server, *you*! -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003