bin/.htaccess.txt
author Colas Nahaboo <colas@nahaboo.net>
Sat, 26 Jan 2008 15:50:53 +0100
changeset 0 414e01d06fd5
permissions -rw-r--r--
RELEASE 4.2.0 freetown
colas@0
     1
# bin/.htaccess.txt
colas@0
     2
#
colas@0
     3
# Controls access to TWiki scripts - to make Apache use it, rename this
colas@0
     4
# file to '.htaccess' and REPLACE THE FOLLOWING STRINGS WHEREVER YOU SEE
colas@0
     5
# THEM IN THIS FILE WITH PATHS SPECIFIC TO YOUR INSTALLATION.
colas@0
     6
# Most required values can be seen in the Path Settings section of
colas@0
     7
# =configure=.
colas@0
     8
#
colas@0
     9
# Replace {DataDir} with the value from =configure=
colas@0
    10
# Replace {DefaultUrlHost} with the value from =configure=
colas@0
    11
# Replace {ScriptUrlPath} with the value from =configure=
colas@0
    12
# Replace {Administrators} with a space-separated list of the login
colas@0
    13
# name(s) of the person(s) allowed to run the configure script
colas@0
    14
# e.g. admin root superhero
colas@0
    15
colas@0
    16
# We set an environment variable called anonymous_spider
colas@0
    17
# Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from
colas@0
    18
# including its own topics as URLs and also prevents other TWikis from
colas@0
    19
# doing the same. This is important to prevent the most obvious
colas@0
    20
# Denial of Service attacks.
colas@0
    21
# You can expand this by adding more BrowserMatchNoCase statements to
colas@0
    22
# block evil browser agents trying the impossible task of mirroring a twiki
colas@0
    23
# Example:
colas@0
    24
# BrowserMatchNoCase ^SiteSucker anonymous_spider
colas@0
    25
BrowserMatchNoCase ^$ anonymous_spider
colas@0
    26
colas@0
    27
# Now set default access rights.
colas@0
    28
Order Allow,Deny
colas@0
    29
Allow from all
colas@0
    30
Deny from env=anonymous_spider
colas@0
    31
colas@0
    32
# Use CGI & Perl to handle all files in 'bin' directory, i.e. run as scripts
colas@0
    33
# - this should remove the need to rename files to end in '.pl' etc,
colas@0
    34
# if your web hosting provider permits this.  Remove if using mod_perl.
colas@0
    35
SetHandler cgi-script
colas@0
    36
colas@0
    37
# Password file for TWiki users
colas@0
    38
#
colas@0
    39
colas@0
    40
# Authentication type (htpasswd file) (comment out this if you configure htpasswd / LDAP support)
colas@0
    41
AuthUserFile {DataDir}/.htpasswd
colas@0
    42
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
colas@0
    43
AuthType Basic
colas@0
    44
colas@0
    45
#for htdigest password suport uncomment the following
colas@0
    46
#AuthDigestDomain {DefaultUrlHost}{ScriptUrlPath}/viewauth {DefaultUrlHost}{ScriptUrlPath}/edit {DefaultUrlHost}{ScriptUrlPath}/preview {DefaultUrlHost}{ScriptUrlPath}/save {DefaultUrlHost}{ScriptUrlPath}/attach {DefaultUrlHost}{ScriptUrlPath}/upload {DefaultUrlHost}{ScriptUrlPath}/rename {DefaultUrlHost}{ScriptUrlPath}/manage {DefaultUrlHost}{ScriptUrlPath}/installpasswd {DefaultUrlHost}{ScriptUrlPath}/passwd
colas@0
    47
#AuthDigestFile {DataDir}/.htdigest
colas@0
    48
# For "Digest" authentication to work properly, this string must match
colas@0
    49
# the value of configuration variable $authRealm
colas@0
    50
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
colas@0
    51
#AuthType Digest
colas@0
    52
colas@0
    53
#for LDAP password support uncomment the following (and fix up the paths)
colas@0
    54
#AuthLDAPURL ldap://yourldapserver/dc=yourldapserver,dc=com?uid?sub?(objectClass=posixAccount)
colas@0
    55
#AuthLDAPGroupAttribute memberUid
colas@0
    56
#AuthLDAPGroupAttributeIsDN off
colas@0
    57
#<Limit GET POST PUT>
colas@0
    58
#    require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
colas@0
    59
#</Limit>
colas@0
    60
#AuthName ByPassword
colas@0
    61
#AuthType Basic
colas@0
    62
colas@0
    63
# File to return on access control error (e.g. wrong password)
colas@0
    64
# By convention this is the TWikiRegistration page, that allows users
colas@0
    65
# to register with the TWiki. Apache requires this to be a *local* path.
colas@0
    66
# Comment this out if you setup TWiki to completely deny access to TWikiGuest
colas@0
    67
# in all webs or change the path to a static html page.
colas@0
    68
ErrorDocument 401 {ScriptUrlPath}/view/TWiki/TWikiRegistration
colas@0
    69
# Alternatively if your users are all known to be registered you may want
colas@0
    70
# to redirect them to the ResetPassword page.
colas@0
    71
# ErrorDocument 401 {ScriptUrlPath}/view/TWiki/ResetPassword 
colas@0
    72
colas@0
    73
# Set options for excuting CGI and allow symlinks for e.g. viewauth
colas@0
    74
# This also unsets any options allowing directory indexing etc.
colas@0
    75
Options ExecCGI FollowSymLinks
colas@0
    76
colas@0
    77
# Limit access to configure to specific IP addresses and or users.
colas@0
    78
# Make sure configure is not open to the general public.
colas@0
    79
# The configure script is designed for administrators only.
colas@0
    80
# The script itself and the information it reveals can be abused by
colas@0
    81
# attackers if not properly protected against public access.
colas@0
    82
<FilesMatch "configure.*">
colas@0
    83
	SetHandler cgi-script
colas@0
    84
	Order Deny,Allow
colas@0
    85
	Deny from all
colas@0
    86
	Allow from 127.0.0.1, 192.168.1.10
colas@0
    87
	Require user {Administrators}
colas@0
    88
	Satisfy Any
colas@0
    89
</FilesMatch>
colas@0
    90
colas@0
    91
# These are scripts that might change content. The regular expression uses ".*"
colas@0
    92
# at the end so it matches the scripts even if you had to add a .cgi or .pl
colas@0
    93
# extension. If you want to require login for any other scripts, modify the
colas@0
    94
# regular expression below as appropriate.
colas@0
    95
colas@0
    96
# NB. The resetpasswd & passwd scripts are used to reset and change passwords.
colas@0
    97
# They do their own validation of the user and therefore
colas@0
    98
# should not use "require valid-user"
colas@0
    99
colas@0
   100
# When using Apache type login the following defines the TWiki scripts
colas@0
   101
# that makes Apache ask the browser to authenticate. It is correct that
colas@0
   102
# scripts such as view, resetpasswd & passwd are not authenticated.
colas@0
   103
# (un-comment to activate)
colas@0
   104
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
colas@0
   105
#       require valid-user
colas@0
   106
#</FilesMatch>