# Autogenerated httpd.conf file for Foswiki.
# Generated at http://foswiki.org/Support/ApacheConfigGenerator?

vhost=wiki.mydomain.com;port=;dir=/var/lib/foswiki;symlink=;pathurl=/;shorterurls=enabled;engine=CGI;fastcgimodule=fastcgi;apver=2;allowconf=;requireconf=;lo

ginmanager=Template;htpath=;errordocument=UserRegistration;errorcustom=;phpinstalled=PHP4;blockpubhtml=on;blocktrashpub=on;controlattach=on;blockspiders=on;f

oswikiversion=1.1

# For Foswiki version 1.1




<VirtualHost *:443>

    ServerAdmin [email protected]
    DocumentRoot "/var/lib/foswiki"
    ServerName wiki.mydomain.com
    ServerAlias wiki.mydomain.com
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

# The Alias defines a url that points to the root of the Foswiki installation.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.


ScriptAlias /bin "/var/lib/foswiki/bin"

# The following Alias is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
# If short URLs are enabled, and any other local directories or files need to be accessed directly, they
# must also be specified in an Alias statement, and must not conflict with a web name.

Alias /pub "/var/lib/foswiki/pub"
Alias /robots.txt "/var/lib/foswiki/robots.txt"
 RewriteEngine on
#  Rewriting is required for Short URLs, and Attachment redirecting to viewfile
#RewriteEngine    on
#RewriteLog "/var/log/apache/rewrite.log"
#RewriteLogLevel 0


# short urls
Alias / "/var/lib/foswiki/bin/view/"
RewriteRule ^/+bin/+view/+(.*) /$1 [L,NE,R]
RewriteRule ^/+bin/+view$ / [L,NE,R]


#
# Dont rewrite any other /bin URLs
#
RewriteRule ^/bin/(.*)$ - [L,PT]                     #  bin, stop rewriting

#
# Dont rewrite internal requests or robots.txt
#
RewriteCond %{IS_SUBREQ} ^true$ [OR]
RewriteCond %{REQUEST_URI} ^/robots.txt$
RewriteRule .* - [L]

#
#  Protect attachments by rewriting to the "viewfile" script
#

#  Permit some safe exceptions to avoid viewfile overhead
#  Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences:
#  pass through unmodified
RewriteCond  %{REQUEST_URI} ^/pub/[^/]+\.(gif|jpe?g|ico)$  [NC,OR]
RewriteCond  %{REQUEST_URI} ^/pub/System/(.*)$  [OR]
RewriteCond  %{REQUEST_URI} ^/pub/([^/]+/)+WebPreferences/([^/]+)$
RewriteRule  ^/pub/.* - [L,PT]



# Optional - do not rewrite /pub/images if ImageGalleryPlugin is installed - path is incompatible with viewfile
#RewriteRule ^/+pub/+images/+.*$ - [L,PT]

# If it makes it here, rewrite as viewfile
RewriteRule ^/+pub/+(.*)$  /bin/viewfile/$1 [L,PT]


# Block access to typical spam related attachments
# Except the Foswiki directory which is read only and does have attached html files.
SetEnvIf Request_URI "/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess

# This enables access to the documents in the Foswiki root directory
<Directory "/var/lib/foswiki">
  #  Order Allow,Deny
  #  Allow from all
  #  Deny from env=blockAccess
Order deny,allow

Deny from all
##Order allow,deny
#Allow from 10.8.
#Allow from 10.8.0.0
#Allow from 10.8.0.1
#Allow from 127.0.0.1

</Directory>



# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
# Note:  If you use SELinux, you also have to "Allow httpd cgi support" in your SELinux policies

<Directory "/var/lib/foswiki/bin">
Order deny,allow

Deny from all
    Options +ExecCGI  -FollowSymLinks
    SetHandler cgi-script

    # Password file for Foswiki users
   AuthUserFile "/var/lib/foswiki/data/.htpasswd"
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /System/UserRegistration

    # Limit access to configure to specific IP address(es) and user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
    <FilesMatch "^(configure)$">
        #SetHandler cgi-script
        #Satisfy All
        SetHandler cgi-script
        Order Deny,Allow
        Deny from all
        Require user epross
        Satisfy Any
        ErrorDocument 401 default
    </FilesMatch>
#       <FilesMatch ".*">
#              require valid-user
#       </FilesMatch>
</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/lib/foswiki/pub">
    Options None
    Options -FollowSymLinks
    AllowOverride None
#    Order Allow,Deny
#    Allow from all
Order deny,allow

Deny from all
   Deny from env=blockAccess
    ErrorDocument 404 /bin/viewfile

    # Disable execution of PHP scripts
    php_admin_flag engine off

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
   #
   #add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
   # reducing the load on the server significantly
   #IF you can, you should enable this - it _will_ improve your Foswiki experience, even if you set it to under one day.
   # you may need to enable expires_module in your main apache config
   #LoadModule expires_module libexec/httpd/mod_expires.so
   #AddModule mod_expires.c
   #<ifmodule mod_expires.c>
   #  <filesmatch "\.(jpe?g|gif|png|css(\.gz)?|js(\.gz)?|ico)$">
   #       ExpiresActive on
   #       ExpiresDefault "access plus 11 days"
   #   </filesmatch>
   #</ifmodule>
   #
   # Serve pre-compressed versions of .js and .css files, if they exist
   # Some browsers do not handle this correctly, which is why it is disabled by default
   # <FilesMatch "\.(js|css)$">
   #         RewriteEngine on
   #         RewriteCond %{HTTP:Accept-encoding} gzip
   #         RewriteCond %{REQUEST_FILENAME}.gz -f
   #         RewriteRule ^(.*)$ %{REQUEST_URI}.gz [L,QSA]
   # </FilesMatch>
   # <FilesMatch "\.(js|css)\?.*$">
   #         RewriteEngine on
   #         RewriteCond %{HTTP:Accept-encoding} gzip
   #         RewriteCond %{REQUEST_FILENAME}.gz -f
   #         RewriteRule ^([^?]*)\?(.*)$ $1.gz?$2 [L]
   # </FilesMatch>
   # <FilesMatch "\.js\.gz(\?.*)?$">
   #         AddEncoding x-gzip .gz
   #         AddType application/x-javascript .gz
                                                          # </FilesMatch>
   # <FilesMatch "\.css\.gz(\?.*)?$">
   #         AddEncoding x-gzip .gz
   #         AddType text/css .gz
   # </FilesMatch>


</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/var/lib/foswiki/pub/Trash">
        deny from all
</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/var/lib/foswiki/data">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/templates">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/lib">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/locale">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/tools">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/working">
    deny from all
</Directory>

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying to crawl your Foswiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess


BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess

# Setting the NO_FOSWIKI_SESSION environment variable prevents a
# session being created for the Google Search Appliance bot. This
# is useful if you have the Google Search Appliance installed on
# your intranet, as they can be very aggressive when indexing, creating
# a lot of session files and slowing Foswiki down.
# You can also set this environment variable for public sites, to
# prevent Google and other search engines' bots. However, these tend
# to index your site a lot less often than the Google Search Appliance.
# *Works on Foswiki 1.1 and later only*
BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION



BrowserMatchNoCase ^$ blockAccess

</VirtualHost>