Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Item13124: Address some Apache 2.4 issues
Apache 2.4 complains if AuthType is configured without requiring user
auth. Comment it out.

Add comment reminding user to enable mod_access_compat

Remove the Configuration for bin/configure.
  • Loading branch information
gac410 committed Jan 11, 2015
1 parent 48205e3 commit a7cf2fd
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 135 deletions.
82 changes: 9 additions & 73 deletions core/bin-htaccess.txt
@@ -1,5 +1,8 @@
# Sample bin/.htaccess file. If you require .htaccess files for your apache
# configuration, tailor this file using the below instructions.
#
# Apache 2.4 users. This file is built for Apache 2.2. If you use Apache
# 2.4, you must enable mod_access_compat for backwards compatiblility
#
############### TAILORING INSTRUCTIONS #################
#
Expand All @@ -13,7 +16,6 @@
# {WorkingDir}
# {DefaultUrlHost}
# {ScriptUrlPath}
# {Administrators}
#
# Replace {DataDir} with the full path of the Topic files store (file path, not
# URL) e.g. /usr/local/foswiki/data Do not include a trailing slash. Do not
Expand All @@ -39,21 +41,6 @@
# http://myhost.com:123/foswiki/cgi-bin/view
# {DefaultUrlHost }{ScriptUrlPath }/view
#
# Replace {Administrators} with a space-separated list of the login
# name(s) of the person(s) allowed to run the configure script
# e.g. admin configure root superhero
#
# Foswiki ships an example .htdigest file containing just the "admin" user
# with an empty password. To activate it:
# Copy htdigest-configure.txt from the Foswiki installation directory to the
# working/configure directory, renaming it to .htdigest-configure (Note
# leading period.
#
# Other users must be added to .htdigest manually. See the "htdigest" shell
# command provided by apache.
#
# Previous versions of Foswiki shared a common .htpasswd file between Wiki users and the
# configure admin user. It is recommented to separate these roles.
#
# When this file has been completely tailored, complete your configuration at:
# {DefaultUrlHost}{ScriptUrlPath}/configure
Expand Down Expand Up @@ -86,10 +73,10 @@ SetHandler cgi-script
# Password file for Foswiki users
#

# Authentication type (htpasswd file) (comment out this if you configure htpasswd / LDAP support)
AuthUserFile {DataDir}/.htpasswd
AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic
# Authentication type (htpasswd file) Uncomment this block if you are using Apache controlled login.
#AuthUserFile {DataDir}/.htpasswd
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
#AuthType Basic

#for htdigest password suport uncomment the following
#AuthDigestDomain / {DefaultUrlHost}
Expand Down Expand Up @@ -129,57 +116,6 @@ ErrorDocument 401 {ScriptUrlPath}/view/System/UserRegistration
# This also unsets any options allowing directory indexing etc.
Options ExecCGI FollowSymLinks

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# IP addresses are entered space delimited, and can wildcarded by
# omitting octets from the end, ie, Allow from 127 192.168
# The configure script is designed for administrators only.
# The script itself and the information it reveals can be abused by
# attackers if not properly protected against public access.
# - ErrorDocument should point to apache default - redirecting to a Foswiki
# script may not be functional yet.

# Replace {Administrators} with the login name of the administrator. By default this
# configuration will use the same password file as Foswiki. So a user MUST
# have been registered in data/.htpasswd before the "Require user" will pass.
# If no user is registered, then access is only granted by IP address.
# Or.. enable the optional configure digest authentication described below.

<FilesMatch "configure.*">
SetHandler cgi-script
ErrorDocument 401 default
ErrorDocument 404 default
Order Deny,Allow
Deny from all
# Set the next line as follows:
# - All, then both the required usesr AND the client ip address must match
# - Any, then either the required user, OR the client ip address must match
Satisfy All
Require user {Administrators}
Allow from 127.0.0.1 192.168.1.10

# The following optional configuration will further protect your
# configuration. "admin" is the super user identification.
# A sample htdigest file is shipped with Foswiki in the installation
# directory: htdigest-configure.txt. It contains a single Userid "admin"
# with no password set.

# When the admin password is saved in configure, this file password will be synchronized.
# Note that only this specific file in the {WorkingDir}/configure is updated, and if
# you choose to use it, it should be kept separate from the .htpasswd file
# in the data directory.

# Copy htdigest-configure.txt -> working/configure/.htdigest-confikgure.
# Then un-comment the below settings.
# And, for the initial login to configure, enter user admin, with no password.

#AuthType Digest
#AuthDigestProvider file
#AuthUserFile {WorkingDir}/configure/.htdigest-configure
#AuthName 'Foswiki System Configuration'
#BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
</FilesMatch>

# These are scripts that might change content. The regular expression uses ".*"
# at the end so it matches the scripts even if you had to add a .cgi or .pl
# extension. If you want to require login for any other scripts, modify the
Expand All @@ -191,8 +127,8 @@ Options ExecCGI FollowSymLinks

# When using Apache type login the following defines the Foswiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view, resetpasswd & passwd are not authenticated.
# scripts such as view, resetpasswd, rest, jsonrpc & passwd are not authenticated.
# (un-comment to activate)
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
# require valid-user
#</FilesMatch>
86 changes: 24 additions & 62 deletions core/foswiki_httpd_conf.txt
@@ -1,7 +1,11 @@
# Example httpd.conf file for Foswiki.
#
# You are recommended to use http://foswiki.org/Support/ApacheConfigGenerator
# to help you configure Apache.
# to help you configure Apache. The ApacheConfigGenerator is set up to support
# Short URLs and other important features.
#
# ### APACHE 2.4 Users. This configuration requires mod_access_compat to be
# enabled for backwards compatbility. This is an Apache 2.2 configuration.
#
# You could also take a copy of this file and edit
# the paths to match your installation. Most Linux distributions are setup so
Expand Down Expand Up @@ -65,7 +69,7 @@ BrowserMatchNoCase ^$ blockAccess
# You can also set this environment variable for public sites, to
# prevent Google and other search engines' bots. However, these tend
# to index your site a lot less often than the Google Search Appliance.
BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION
#BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION


# This specifies the options on the Foswiki scripts directory. The ExecCGI
Expand All @@ -82,17 +86,28 @@ BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION
Options ExecCGI FollowSymLinks
SetHandler cgi-script

# Password file for Foswiki users
AuthUserFile /var/www/foswiki/data/.htpasswd
AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic
# When using Apache type login the below blocks define the Foswiki scripts
# that makes Apache ask the browser to authenticate, and the locations of
# the Password files.

# Password file for Foswiki users. Uncomment if using Apache based login
#AuthUserFile /var/www/foswiki/data/.htpasswd
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
#AuthType Basic

# Also uncomment this block for Apache login. Be sure that all scripts that you want to authenticate are matched here:
# It is normal not to authenticate view, rest and jsonrpc.
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
# require valid-user
#</FilesMatch>

#for htdigest password suport uncomment the following
# For htdigest authentication suport uncomment the following block
# as an alternative to the Password file block and replace
# {DefaultUrlHost} with your default URL host http://yoursite.com
#AuthDigestDomain / {DefaultUrlHost}
#AuthDigestFile {DataDir}/.htdigest
#AuthDigestFile /var/www/foswiki/data/.htdigest
#BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
#AuthDigestProvider file
#AuthUserFile {DataDir}/.htpasswd
# For "Digest" authentication to work properly, this string must match
# the value of configuration variable $authRealm
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
Expand All @@ -108,59 +123,6 @@ BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION
# to redirect them to the ResetPassword page.
# ErrorDocument 401 /foswiki/bin/view/System/ResetPassword

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# The configure script is designed for administrators only.
# The script itself and the information it reveals can be abused by
# attackers if not properly protected against public access

# Replace JohnDoe with the login name of the administrator. By default this
# configuration will use the same password file as Foswiki. So a user MUST
# have been registered in data/.htpasswd before the "Require user" will pass.
# If no user is registered, then access is only granted by IP address.
# Or.. enable the optional configure digest authentication described below.

<FilesMatch "^configure.*">
ErrorDocument 401 default
ErrorDocument 404 default
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.10
Require user JohnDoe
Satisfy Any

# The following optional configuration will further protect your
# configuration. "admin" is default super user identification.
# A sample htdigest file is shipped with Foswiki in the installation
# directory: htdigest-configure.txt. It contains a single Userid "admin"
# with no password set.

# When the admin password is saved in configure, this file password will be synchronized.
# Note that only this specific file in the {WorkingDir}/configure is updated, and if
# you choose to use it, it should be kept separate from the .htpasswd file
# in the data directory.

# Copy htdigest-configure.txt -> working/configure/.htdigest-confikgure.
# Then un-comment the below settings.
# And, for the initial login to configure, enter user admin, with no password.

#AuthType Digest
#AuthDigestProvider file
#AuthUserFile {WorkingDir}/configure/.htdigest-configure
#AuthName 'Foswiki System Configuration'
#BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

</FilesMatch>

# When using Apache type login the following defines the Foswiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view, resetpasswd & passwd are not authenticated.
# (un-comment to activate)
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
# require valid-user
#</FilesMatch>

</Directory>


Expand Down

0 comments on commit a7cf2fd

Please sign in to comment.