# Autogenerated httpd.conf file for Foswiki. # Generated at http://foswiki.org/Support/ApacheConfigGenerator? vhost=wiki.mydomain.com;port=;dir=/var/lib/foswiki;symlink=;pathurl=/;shorterurls=enabled;engine=CGI;fastcgimodule=fastcgi;apver=2;allowconf=;requireconf=;lo ginmanager=Template;htpath=;errordocument=UserRegistration;errorcustom=;phpinstalled=PHP4;blockpubhtml=on;blocktrashpub=on;controlattach=on;blockspiders=on;f oswikiversion=1.1 # For Foswiki version 1.1 <VirtualHost *:443> ServerAdmin [email protected] DocumentRoot "/var/lib/foswiki" ServerName wiki.mydomain.com ServerAlias wiki.mydomain.com SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem # The Alias defines a url that points to the root of the Foswiki installation. # The first parameter will be part of the URL to your installation e.g. # http://my.co.uk/foswiki/bin/view/... # The second parameter must point to the physical path on your disc. ScriptAlias /bin "/var/lib/foswiki/bin" # The following Alias is used to access files in the pub directory (attachments etc) # It must come _after_ the ScriptAlias. # If short URLs are enabled, and any other local directories or files need to be accessed directly, they # must also be specified in an Alias statement, and must not conflict with a web name. Alias /pub "/var/lib/foswiki/pub" Alias /robots.txt "/var/lib/foswiki/robots.txt" RewriteEngine on # Rewriting is required for Short URLs, and Attachment redirecting to viewfile #RewriteEngine on #RewriteLog "/var/log/apache/rewrite.log" #RewriteLogLevel 0 # short urls Alias / "/var/lib/foswiki/bin/view/" RewriteRule ^/+bin/+view/+(.*) /$1 [L,NE,R] RewriteRule ^/+bin/+view$ / [L,NE,R] # # Dont rewrite any other /bin URLs # RewriteRule ^/bin/(.*)$ - [L,PT] # bin, stop rewriting # # Dont rewrite internal requests or robots.txt # RewriteCond %{IS_SUBREQ} ^true$ [OR] RewriteCond %{REQUEST_URI} ^/robots.txt$ RewriteRule .* - [L] # # Protect attachments by rewriting to the "viewfile" script # # Permit some safe exceptions to avoid viewfile overhead # Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences: # pass through unmodified RewriteCond %{REQUEST_URI} ^/pub/[^/]+\.(gif|jpe?g|ico)$ [NC,OR] RewriteCond %{REQUEST_URI} ^/pub/System/(.*)$ [OR] RewriteCond %{REQUEST_URI} ^/pub/([^/]+/)+WebPreferences/([^/]+)$ RewriteRule ^/pub/.* - [L,PT] # Optional - do not rewrite /pub/images if ImageGalleryPlugin is installed - path is incompatible with viewfile #RewriteRule ^/+pub/+images/+.*$ - [L,PT] # If it makes it here, rewrite as viewfile RewriteRule ^/+pub/+(.*)$ /bin/viewfile/$1 [L,PT] # Block access to typical spam related attachments # Except the Foswiki directory which is read only and does have attached html files. SetEnvIf Request_URI "/pub/.*\.[hH][tT][mM][lL]?$" blockAccess SetEnvIf Request_URI "/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess # This enables access to the documents in the Foswiki root directory <Directory "/var/lib/foswiki"> # Order Allow,Deny # Allow from all # Deny from env=blockAccess Order deny,allow Deny from all ##Order allow,deny #Allow from 10.8. #Allow from 10.8.0.0 #Allow from 10.8.0.1 #Allow from 127.0.0.1 </Directory> # This specifies the options on the Foswiki scripts directory. The ExecCGI # and SetHandler tell apache that it contains scripts. "Allow from all" # lets any IP address access this URL. # Note: If you use SELinux, you also have to "Allow httpd cgi support" in your SELinux policies <Directory "/var/lib/foswiki/bin"> Order deny,allow Deny from all Options +ExecCGI -FollowSymLinks SetHandler cgi-script # Password file for Foswiki users AuthUserFile "/var/lib/foswiki/data/.htpasswd" AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.' AuthType Basic # File to return on access control error (e.g. wrong password) ErrorDocument 401 /System/UserRegistration # Limit access to configure to specific IP address(es) and user(s). # Make sure configure is not open to the general public. # It exposes system details that can help attackers. # cf. http://foswiki.org/Support/ProtectingYourConfiguration for details. <FilesMatch "^(configure)$"> #SetHandler cgi-script #Satisfy All SetHandler cgi-script Order Deny,Allow Deny from all Require user epross Satisfy Any ErrorDocument 401 default </FilesMatch> # <FilesMatch ".*"> # require valid-user # </FilesMatch> </Directory> # This sets the options on the pub directory, which contains attachments and # other files like CSS stylesheets and icons. AllowOverride None stops a # user installing a .htaccess file that overrides these options. # Note that files in pub are *not* protected by Foswiki Access Controls, # so if you want to control access to files attached to topics you need to # block access to the specific directories same way as the ApacheConfigGenerator # blocks access to the pub directory of the Trash web <Directory "/var/lib/foswiki/pub"> Options None Options -FollowSymLinks AllowOverride None # Order Allow,Deny # Allow from all Order deny,allow Deny from all Deny from env=blockAccess ErrorDocument 404 /bin/viewfile # Disable execution of PHP scripts php_admin_flag engine off # This line will redefine the mime type for the most common types of scripts AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi # #add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate # reducing the load on the server significantly #IF you can, you should enable this - it _will_ improve your Foswiki experience, even if you set it to under one day. # you may need to enable expires_module in your main apache config #LoadModule expires_module libexec/httpd/mod_expires.so #AddModule mod_expires.c #<ifmodule mod_expires.c> # <filesmatch "\.(jpe?g|gif|png|css(\.gz)?|js(\.gz)?|ico)$"> # ExpiresActive on # ExpiresDefault "access plus 11 days" # </filesmatch> #</ifmodule> # # Serve pre-compressed versions of .js and .css files, if they exist # Some browsers do not handle this correctly, which is why it is disabled by default # <FilesMatch "\.(js|css)$"> # RewriteEngine on # RewriteCond %{HTTP:Accept-encoding} gzip # RewriteCond %{REQUEST_FILENAME}.gz -f # RewriteRule ^(.*)$ %{REQUEST_URI}.gz [L,QSA] # </FilesMatch> # <FilesMatch "\.(js|css)\?.*$"> # RewriteEngine on # RewriteCond %{HTTP:Accept-encoding} gzip # RewriteCond %{REQUEST_FILENAME}.gz -f # RewriteRule ^([^?]*)\?(.*)$ $1.gz?$2 [L] # </FilesMatch> # <FilesMatch "\.js\.gz(\?.*)?$"> # AddEncoding x-gzip .gz # AddType application/x-javascript .gz # </FilesMatch> # <FilesMatch "\.css\.gz(\?.*)?$"> # AddEncoding x-gzip .gz # AddType text/css .gz # </FilesMatch> </Directory> # Spammers are known to attach their stuff and then move it to trash where it remains unnoticed. # We prevent viewing any attachments directly from pub <Directory "/var/lib/foswiki/pub/Trash"> deny from all </Directory> # Security note: All other directories should be set so # that they are *not* visible as URLs, so we set them as =deny from all=. <Directory "/var/lib/foswiki/data"> deny from all </Directory> <Directory "/var/lib/foswiki/templates"> deny from all </Directory> <Directory "/var/lib/foswiki/lib"> deny from all </Directory> <Directory "/var/lib/foswiki/locale"> deny from all </Directory> <Directory "/var/lib/foswiki/tools"> deny from all </Directory> <Directory "/var/lib/foswiki/working"> deny from all </Directory> # We set an environment variable called blockAccess. # # Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from # including its own topics as URLs and also prevents other Foswikis from # doing the same. This is important to prevent the most obvious # Denial of Service attacks. # # You can expand this by adding more BrowserMatchNoCase statements to # block evil browser agents trying to crawl your Foswiki # # Example: # BrowserMatchNoCase ^SiteSucker blockAccess # BrowserMatchNoCase ^$ blockAccess BrowserMatchNoCase ^Accoona blockAccess BrowserMatchNoCase ^ActiveAgent blockAccess BrowserMatchNoCase ^Attache blockAccess BrowserMatchNoCase BecomeBot blockAccess BrowserMatchNoCase ^bot blockAccess BrowserMatchNoCase Charlotte/ blockAccess BrowserMatchNoCase ^ConveraCrawler blockAccess BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess BrowserMatchNoCase ^EmailCollector blockAccess BrowserMatchNoCase ^EmailSiphon blockAccess BrowserMatchNoCase ^e-SocietyRobot blockAccess BrowserMatchNoCase ^Exabot blockAccess BrowserMatchNoCase ^FAST blockAccess BrowserMatchNoCase ^FDM blockAccess BrowserMatchNoCase ^GetRight/6.0a blockAccess BrowserMatchNoCase ^GetWebPics blockAccess BrowserMatchNoCase ^Gigabot blockAccess BrowserMatchNoCase ^gonzo1 blockAccess BrowserMatchNoCase ^Google\sSpider blockAccess BrowserMatchNoCase ^ichiro blockAccess BrowserMatchNoCase ^ie_crawler blockAccess BrowserMatchNoCase ^iGetter blockAccess BrowserMatchNoCase ^IRLbot blockAccess BrowserMatchNoCase Jakarta blockAccess BrowserMatchNoCase ^Java blockAccess BrowserMatchNoCase ^KrakSpider blockAccess BrowserMatchNoCase ^larbin blockAccess BrowserMatchNoCase ^LeechGet blockAccess BrowserMatchNoCase ^LinkWalker blockAccess BrowserMatchNoCase ^Lsearch blockAccess BrowserMatchNoCase ^Microsoft blockAccess BrowserMatchNoCase MJ12bot blockAccess BrowserMatchNoCase MSIECrawler blockAccess BrowserMatchNoCase ^MSRBOT blockAccess BrowserMatchNoCase ^noxtrumbot blockAccess BrowserMatchNoCase ^NutchCVS blockAccess BrowserMatchNoCase ^RealDownload blockAccess BrowserMatchNoCase ^Rome blockAccess BrowserMatchNoCase ^Roverbot blockAccess BrowserMatchNoCase ^schibstedsokbot blockAccess BrowserMatchNoCase ^Seekbot blockAccess BrowserMatchNoCase ^SiteSnagger blockAccess BrowserMatchNoCase ^SiteSucker blockAccess BrowserMatchNoCase ^Snapbot blockAccess BrowserMatchNoCase ^sogou blockAccess BrowserMatchNoCase ^SpiderKU blockAccess BrowserMatchNoCase ^SpiderMan blockAccess BrowserMatchNoCase ^Squid blockAccess BrowserMatchNoCase ^Teleport blockAccess BrowserMatchNoCase ^User-Agent\: blockAccess BrowserMatchNoCase VoilaBot blockAccess BrowserMatchNoCase ^voyager blockAccess BrowserMatchNoCase ^w3search blockAccess BrowserMatchNoCase ^Web\sDownloader blockAccess BrowserMatchNoCase ^WebCopier blockAccess BrowserMatchNoCase ^WebDevil blockAccess BrowserMatchNoCase ^WebSec blockAccess BrowserMatchNoCase ^WebVac blockAccess BrowserMatchNoCase ^Webwhacker blockAccess BrowserMatchNoCase ^Webzip blockAccess BrowserMatchNoCase ^Wells blockAccess BrowserMatchNoCase ^WhoWhere blockAccess BrowserMatchNoCase www\.netforex\.org blockAccess BrowserMatchNoCase ^WX_mail blockAccess BrowserMatchNoCase ^yacybot blockAccess BrowserMatchNoCase ^ZIBB blockAccess # Setting the NO_FOSWIKI_SESSION environment variable prevents a # session being created for the Google Search Appliance bot. This # is useful if you have the Google Search Appliance installed on # your intranet, as they can be very aggressive when indexing, creating # a lot of session files and slowing Foswiki down. # You can also set this environment variable for public sites, to # prevent Google and other search engines' bots. However, these tend # to index your site a lot less often than the Google Search Appliance. # *Works on Foswiki 1.1 and later only* BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION BrowserMatchNoCase ^$ blockAccess </VirtualHost>