Permalink
Browse files

Item10623: make consistent .htaccess examples

git-svn-id: http://svn.foswiki.org/trunk@11490 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
  • Loading branch information...
GeorgeClark GeorgeClark
GeorgeClark authored and GeorgeClark committed Apr 19, 2011
1 parent 900d1df commit faf267f10cc8fcd0ea0541e3d51578b7e2866849
@@ -1,7 +1,8 @@
# bin/.htaccess.txt
# Sample bin/.htaccess file. If you require .htaccess files for your apache
# configuration, tailor this file using the below instructions.
#
# Controls access to Foswiki scripts - to make Apache use it, rename this
# file to '.htaccess' and REPLACE THE FOLLOWING STRINGS WHEREVER YOU SEE
# file to 'bin/.htaccess' and REPLACE THE FOLLOWING STRINGS WHEREVER YOU SEE
# THEM IN THIS FILE WITH PATHS SPECIFIC TO YOUR INSTALLATION.
# Most required values have corresponding items in the Path Settings section of
# configure. The following 4 strings must be updated:
@@ -110,14 +110,15 @@ First choose the best configuration method for your web server. With Apache, the
* *Note:* you must restart Apache after making changes to your config files for the changes to take effect.
*If you are using a .htaccess file:*
* In the root of the foswiki installation and in the =bin= directory, there are sample =.htaccess= files for various subdirectories in your installation. Each file has help text explaining how to modify it for your configuration. For more information, see Foswiki:Support.SupplementalDocuments.<sticky>
* In the root of the foswiki installation, there are sample =.htaccess= files for various subdirectories in your installation. Each file has help text explaining how to modify it for your configuration. For more information, see Foswiki:Support.SupplementalDocuments.<sticky>
| *location and name of sample .htaccess file* | *copy sample file to the following location* |
| =foswiki/root-htaccess.txt= | =foswiki/.htaccess= |
| =foswiki/bin/.htaccess.txt= | =foswiki/bin/.htaccess= |
| =foswiki/bin-htaccess.txt= | =foswiki/bin/.htaccess= |
| =foswiki/pub-htaccess.txt= | =foswiki/pub/.htaccess= |
| =foswiki/subdir-htaccess.txt= | =.htaccess= in all other subdirectories below =foswiki= |</sticky>
* Ensure that web access is denied to all Foswiki subdirectories other than =bin= and =pub=. The sample =.htaccess= files show how to configure Apache appropriately.
| =foswiki/subdir-htaccess.txt= | =foswiki/&lt;subdir&gt;/.htaccess= <br />Copy to all other subdirectories below =foswiki=, including =data=, =lib=, =locale=, =templates=, =tools=, =working=. Copy to any other directories except for =bin= and =pub= addressed above. |</sticky>
* Ensure that web access is denied to all Foswiki subdirectories other than =bin= and =pub=. The sample =.htaccess= files show how to configure Apache appropriately. It is important to verify that none of these directories can be directly accessed.
* Ensure that the =foswiki/bin/.htaccess= files contains the line =SetHandler cgi-script= so that all scripts in the =bin= directory will be executed by Apache.
* *Note:* On Linux systems, files named with the leading "." like =.htaccess= are hidden files and will not be listed unless using the -a option, ex. =ls -la=
*Turn off any kind of PHP, Perl, Python, Server Side Includes, or other software execution mechanisms supported by your web server in the =pub= directory.* For example, most Linux distributions have a default Apache installation with PHP and server side include (SSI) enabled. This would allow PHP scripts uploaded as attachments to be executed, which is a security risk, so it should be disabled in the Apache configuration with =php_admin_flag engine off=.
@@ -134,19 +134,19 @@ To setup Apache Login, perform the following steps:
1 Select =Foswiki::Users::HtPasswdUser= for ={PasswordManager}=.
1 Select =Foswiki::Users::TopicUserMapping= for ={UserMappingManager}=.
1 Save your settings.
1 Configure your Apache settings for HTTP authentication. Use the Foswiki:Support.ApacheConfigGenerator tool or the =foswiki/bin/.htaccess= file to set the following Apache directives on the =bin= scripts:<sticky>
1 Configure your Apache settings for HTTP authentication. Use the Foswiki:Support.ApacheConfigGenerator tool or the =foswiki/bin-htaccess.txt= file to set the following Apache directives on the =bin= scripts:<sticky>
<verbatim>
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
require valid-user
</FilesMatch></verbatim></sticky>
You can also refer to the sample =foswiki_httpd_conf.txt= and =bin/.htaccess.txt= files to see how the appropriate Apache directives are specified.
You can also refer to the sample =foswiki_httpd_conf.txt= and =bin-htaccess.txt= files to see how the appropriate Apache directives are specified.
%INCLUDE{"UserAuthentication" section="TESTING"}%%ENDSECTION{"ApacheLogin"}%
---++++ Logons via bin/logon
Any time a user requests a page that needs authentication, they will be forced to log on. It may be convenient to have a "logon" link as well, to give the system a chance to identify the user and retrieve their personal settings. It may be convenient to force them to log on.
The ==bin/logon== script enables this. If you are using Apache Login, the ==bin/logon== script must be setup in the ==bin/.htaccess== file to be a script which requires a =valid user=. Once authenticated, it will redirect the user to the view URL for the page from which the =logon= script was linked.
The ==bin/logon== script enables this. If you are using Apache Login, the ==bin/logon== script must be setup in the Apache configuration or ==bin/.htaccess== file to be a script which requires a =valid user=. Once authenticated, it will redirect the user to the view URL for the page from which the =logon= script was linked.
#TrackSessions
---++ Sessions
@@ -218,7 +218,7 @@ If the ={PasswordManager}= does not support password changing, ChangeEmailAddres
---++ Controlling access to individual scripts
You may want to add or remove scripts from the list of scripts that require authentication. The method for doing this is different for each of Template Login and Apache Login. %T% Any scripts listed as requiring authentication will not be usable by the Guest user. If you require that %USERSWEB%.WikiGuest be allowed to edit topics on your site, =edit= and =save= must be removed from the list of scripts requiring authentication.
* For Template Login, update the ={AuthScripts}= list using [[%SCRIPTURLPATH{"configure"}%#Login$SecurityAndAuthentication][configure]]
* For Apache Login, add/remove the script from =.htaccess=, or from the !FilesMatch line in the Apache configuration.
* For Apache Login, add/remove the script from =bin/.htaccess=, or from the !FilesMatch line in the Apache configuration.
#HowTo
---++ How to choose an authentication method
@@ -1,15 +1,15 @@
# Example httpd.conf file for Foswiki.
#
# You are recommended to take a copy of this file and edit
# You are recommended to use http://foswiki.org/Support/ApacheConfigGenerator
# to help you configure Apache.
#
# You could also take a copy of this file and edit
# the paths to match your installation. Most Linux distributions are setup so
# Apache includes all config files that ends with .conf within a specific
# directory. If your distribution does not have this feature then add:
# include "/var/www/foswiki/foswiki_httpd.conf"
# to the end of your main httpd.conf file.
#
# See also http://foswiki.org/Support/ApacheConfigGenerator
# that helps you configure Apache
# The first parameter will be part of the URL to your installation e.g.
# http://example.com/foswiki/bin/view/...
# The second parameter must point to the physical path on your disk. Be
@@ -4,7 +4,7 @@ AUTHORS 0444
COPYING 0444
COPYRIGHT 0444
LICENSE 0444
bin/.htaccess.txt 0644
bin-htaccess.txt 0444
bin/LocalLib.cfg.txt 0644
bin/attach 0555
bin/changes 0555
@@ -1024,7 +1024,6 @@ tools/extension_installer 0555
tools/geturl.pl 0555
tools/rewriteshebang.pl 0555
tools/tick_foswiki.pl 0555
working/.htaccess 0660
working/README 0444
working/registration_approvals/README 0444
working/tmp/README 0444
View

This file was deleted.

Oops, something went wrong.

0 comments on commit faf267f

Please sign in to comment.