twiki_httpd_conf.txt
author Colas Nahaboo <colas@nahaboo.net>
Sat, 26 Jan 2008 15:50:53 +0100
changeset 0 414e01d06fd5
child 1 e2915a7cbdfa
permissions -rw-r--r--
RELEASE 4.2.0 freetown
colas@0
     1
# Example httpd.conf file for TWiki.
colas@0
     2
#
colas@0
     3
# You are recommended to take a copy of this file and edit
colas@0
     4
# the paths to match your installation. Then add:
colas@0
     5
# include "/home/httpd/twiki/twiki_httpd.conf"
colas@0
     6
# to the end of your main httpd.conf file.
colas@0
     7
#
colas@0
     8
# See also http://twiki.org/cgi-bin/view/TWiki.ApacheConfigGenerator
colas@0
     9
# that helps you configure Apache
colas@0
    10
colas@0
    11
# The first parameter will be part of the URL to your installation e.g.
colas@0
    12
# http://example.com/twiki/bin/view/...
colas@0
    13
# The second parameter must point to the physical path on your disk. Be
colas@0
    14
# careful not to lose any trailing /'s.
colas@0
    15
colas@0
    16
#### Change the _second_ path to match your local installation
colas@0
    17
ScriptAlias /twiki/bin/ "/home/httpd/twiki/bin/"
colas@0
    18
colas@0
    19
# This defines a url that points to the root of the twiki installation. It is
colas@0
    20
# used to access files in the pub directory (attachments etc)
colas@0
    21
# It must come _after_ the ScriptAlias.
colas@0
    22
colas@0
    23
#### Change the path to match your local installation
colas@0
    24
Alias /twiki/ "/home/httpd/twiki/"
colas@0
    25
colas@0
    26
# Block access to typical spam related attachments (.htm and .html files)
colas@0
    27
# Except the TWiki directory which is read only and does have attached html files.
colas@0
    28
# You should uncomment the two lines below if the TWiki is on the public Internet
colas@0
    29
#SetEnvIf Request_URI "twiki/pub/.*\.[hH][tT][mM]?$" blockAccess
colas@0
    30
#SetEnvIf Request_URI "twiki/pub/TWiki/.*\.[hH][tT][mM]?$" !blockAccess
colas@0
    31
colas@0
    32
# We set an environment variable called blockAccess.
colas@0
    33
#
colas@0
    34
# Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from
colas@0
    35
# including its own topics as URLs and also prevents other TWikis from
colas@0
    36
# doing the same. This is important to prevent the most obvious
colas@0
    37
# Denial of Service attacks.
colas@0
    38
#
colas@0
    39
# You can expand this by adding more BrowserMatchNoCase statements to
colas@0
    40
# block evil browser agents trying the impossible task of mirroring a TWiki.
colas@0
    41
# http://twiki.org/cgi-bin/view/TWiki.ApacheConfigGenerator has a good list
colas@0
    42
# of bad spiders to block.
colas@0
    43
#
colas@0
    44
# Example:
colas@0
    45
# BrowserMatchNoCase ^SiteSucker blockAccess
colas@0
    46
BrowserMatchNoCase ^$ blockAccess
colas@0
    47
colas@0
    48
# This specifies the options on the TWiki scripts directory. The ExecCGI
colas@0
    49
# and SetHandler tell apache that it contains scripts. "Allow from all"
colas@0
    50
# lets any IP address access this URL.
colas@0
    51
colas@0
    52
#### Change the path to match your local installation
colas@0
    53
<Directory "/home/httpd/twiki/bin">
colas@0
    54
	AllowOverride None
colas@0
    55
	Order Allow,Deny
colas@0
    56
	Allow from all
colas@0
    57
	Deny from env=blockAccess
colas@0
    58
colas@0
    59
	Options ExecCGI FollowSymLinks
colas@0
    60
	SetHandler cgi-script
colas@0
    61
colas@0
    62
	# Password file for TWiki users
colas@0
    63
	AuthUserFile /var/www/twiki/data/.htpasswd
colas@0
    64
	AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
colas@0
    65
	AuthType Basic
colas@0
    66
	
colas@0
    67
	# File to return on access control error (e.g. wrong password)
colas@0
    68
	# By convention this is the TWikiRegistration page, that allows users
colas@0
    69
	# to register with the TWiki. Apache requires this to be a *local* path.
colas@0
    70
	# Comment this out if you setup TWiki to completely deny access to TWikiGuest
colas@0
    71
	# in all webs or change the path to a static html page.
colas@0
    72
	ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration
colas@0
    73
	# Alternatively if your users are all known to be registered you may want
colas@0
    74
	# to redirect them to the ResetPassword page.
colas@0
    75
	# ErrorDocument 401 /twiki/bin/view/TWiki/ResetPassword
colas@0
    76
colas@0
    77
# Limit access to configure to specific IP addresses and or users.
colas@0
    78
# Make sure configure is not open to the general public.
colas@0
    79
# The configure script is designed for administrators only.
colas@0
    80
# The script itself and the information it reveals can be abused by
colas@0
    81
# attackers if not properly protected against public access.
colas@0
    82
# Replace JohnDoe with the login name of the administrator
colas@0
    83
<FilesMatch "^configure.*">
colas@0
    84
	SetHandler cgi-script
colas@0
    85
	Order Deny,Allow
colas@0
    86
	Deny from all
colas@0
    87
	Allow from 127.0.0.1 192.168.1.10
colas@0
    88
	Require user JohnDoe
colas@0
    89
	Satisfy Any
colas@0
    90
</FilesMatch>
colas@0
    91
colas@0
    92
# When using Apache type login the following defines the TWiki scripts
colas@0
    93
# that makes Apache ask the browser to authenticate. It is correct that
colas@0
    94
# scripts such as view, resetpasswd & passwd are not authenticated.
colas@0
    95
# (un-comment to activate)
colas@0
    96
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
colas@0
    97
#	require valid-user
colas@0
    98
#</FilesMatch>
colas@0
    99
colas@0
   100
</Directory>
colas@0
   101
colas@0
   102
colas@0
   103
# This sets the options on the pub directory, which contains attachments and
colas@0
   104
# other files like CSS stylesheets and icons. AllowOverride None stops a
colas@0
   105
# user installing a .htaccess file that overrides these options.
colas@0
   106
# Finally all execution of PHP and other scripts is disabled.
colas@0
   107
colas@0
   108
# Note that files in pub are *not* protected by TWiki Access Controls,
colas@0
   109
# so if you want to control access to files attached to topics, you may
colas@0
   110
# need to add your own .htaccess files to subdirectories of pub. See the
colas@0
   111
# Apache documentation on .htaccess for more info.
colas@0
   112
colas@0
   113
#### Change the path to match your local installation
colas@0
   114
<Directory "/home/httpd/twiki/pub">
colas@0
   115
	Options None
colas@0
   116
	AllowOverride Limit
colas@0
   117
	Allow from all
colas@0
   118
	
colas@0
   119
	# If you have PHP4 or PHP5 installed make sure the directive below is enabled
colas@0
   120
	# If you do not have PHP installed you will need to comment out the directory below
colas@0
   121
	# to avoid errors.
colas@0
   122
	php_admin_flag engine off
colas@0
   123
	
colas@0
   124
	#If you have PHP3 installed make sure the directive below is enabled
colas@0
   125
	#php3_engine off
colas@0
   126
colas@0
   127
	# This line will redefine the mime type for the most common types of scripts
colas@0
   128
	AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
colas@0
   129
</Directory>
colas@0
   130
colas@0
   131
# Security note: All other directories should be set so
colas@0
   132
# that they are *not* visible as URLs, so we set them as =deny from all=.
colas@0
   133
colas@0
   134
#### Change the paths to match your local installation
colas@0
   135
<Directory "/home/httpd/twiki/data">
colas@0
   136
	deny from all
colas@0
   137
</Directory>
colas@0
   138
colas@0
   139
<Directory "/home/httpd/twiki/templates">
colas@0
   140
	deny from all
colas@0
   141
</Directory>
colas@0
   142
colas@0
   143
<Directory "/home/httpd/twiki/lib">
colas@0
   144
	deny from all
colas@0
   145
</Directory>
colas@0
   146
colas@0
   147
<Directory "/home/httpd/twiki/tools">
colas@0
   148
	deny from all
colas@0
   149
</Directory>
colas@0
   150
colas@0
   151
<Directory "/home/httpd/twiki/locale">
colas@0
   152
	deny from all
colas@0
   153
</Directory>
colas@0
   154
colas@0
   155
<Directory "/home/httpd/twiki/working">
colas@0
   156
	deny from all
colas@0
   157
</Directory>