wiki-archive/twiki/bin/.htaccess.txt

98 lines
4.4 KiB
Plaintext
Raw Normal View History

# bin/.htaccess.txt
#
# Controls access to TWiki scripts - to make Apache use it, rename this
# file to '.htaccess' and REPLACE THE FOLLOWING STRINGS WHEREVER YOU SEE
# THEM IN THIS FILE WITH PATHS SPECIFIC TO YOUR INSTALLATION.
# Most required values can be seen in the Path Settings section of
# =configure=.
#
# Replace {DataDir} with the value from =configure=
# Replace {DefaultUrlHost} with the value from =configure=
# Replace {ScriptUrlPath} with the value from =configure=
# Replace {Administrators} with a space-separated list of the login
# name(s) of the person(s) allowed to run the configure script
# e.g. admin root superhero
# We set an environment variable called anonymous_spider
# Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from
# including its own topics as URLs and also prevents other TWikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a twiki
# Example:
# BrowserMatchNoCase ^SiteSucker anonymous_spider
BrowserMatchNoCase ^$ anonymous_spider
# Now set default access rights.
Order Allow,Deny
Allow from all
Deny from env=anonymous_spider
# Use CGI & Perl to handle all files in 'bin' directory, i.e. run as scripts
# - this should remove the need to rename files to end in '.pl' etc,
# if your web hosting provider permits this. Remove if using mod_perl.
SetHandler cgi-script
# Password file for TWiki users
#
# Authentication type (htpasswd file) (comment out this if you configure htpasswd / LDAP support)
AuthUserFile {DataDir}/.htpasswd
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic
#for htdigest password suport uncomment the following
#AuthDigestDomain {DefaultUrlHost}{ScriptUrlPath}/viewauth {DefaultUrlHost}{ScriptUrlPath}/edit {DefaultUrlHost}{ScriptUrlPath}/preview {DefaultUrlHost}{ScriptUrlPath}/save {DefaultUrlHost}{ScriptUrlPath}/attach {DefaultUrlHost}{ScriptUrlPath}/upload {DefaultUrlHost}{ScriptUrlPath}/rename {DefaultUrlHost}{ScriptUrlPath}/manage {DefaultUrlHost}{ScriptUrlPath}/installpasswd {DefaultUrlHost}{ScriptUrlPath}/passwd
#AuthDigestFile {DataDir}/.htdigest
# For "Digest" authentication to work properly, this string must match
# the value of configuration variable $authRealm
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
#AuthType Digest
#for LDAP password support uncomment the following (and fix up the paths)
#AuthLDAPURL ldap://yourldapserver/dc=yourldapserver,dc=com?uid?sub?(objectClass=posixAccount)
#AuthLDAPGroupAttribute memberUid
#AuthLDAPGroupAttributeIsDN off
#<Limit GET POST PUT>
# require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
#</Limit>
#AuthName ByPassword
#AuthType Basic
# File to return on access control error (e.g. wrong password)
# By convention this is the TWikiRegistration page, that allows users
# to register with the TWiki. Apache requires this to be a *local* path.
ErrorDocument 401 {ScriptUrlPath}/view/TWiki/TWikiRegistration
# Set options for excuting CGI and allow symlinks for e.g. viewauth
# This also unsets any options allowing directory indexing etc.
Options ExecCGI FollowSymLinks
# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# The configure script is designed for administrators only.
# The script itself and the information it reveals can be abused by
# attackers if not properly protected against public access.
<FilesMatch "configure.*">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from 127.0.0.1, 192.168.1.10
Require user {Administrators}
Satisfy Any
</FilesMatch>
# These are scripts that might change content. The regular expression uses ".*"
# at the end so it matches the scripts even if you had to add a .cgi or .pl
# extension. If you want to require login for any other scripts, modify the
# regular expression below as appropriate.
# NB. The resetpasswd & passwd scripts are used to reset and change passwords.
# They do their own validation of the user and therefore
# should not use "require valid-user"
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
require valid-user
</FilesMatch>