Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
Cannot secure data folder
Avatar
astyl #1
Member since Jan 2019 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Cannot secure data folder
Hey everyone!

So, if I keep .htaccess.dist name as is in the main folder, pages of the wiki (including logging out) return a 404 error, all while dokuwiki.txt remains accessible publicly.

If I rename it to .htaccess, the wiki functions normally, but dokuwiki.txt remains publicly accessible.

Here's my .htaccess file in main folder (the ones in other folders remain unchanged). Keep in mind, I played around with RewriteBase to no avail.
## You should disable Indexes and MultiViews either here or in the
## global config. Symlinks maybe needed for URL rewriting.
Options -Indexes -MultiViews +FollowSymLinks

## make sure nobody gets the htaccess, README, COPYING or VERSION files
<Files ~ "^([\._]ht|README$|VERSION$|COPYING$)">
    <IfModule mod_authz_host>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_host>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>

## Don't allow access to git directories
<IfModule alias_module>
    RedirectMatch 404 /\.git
</IfModule>

## Uncomment these rules if you want to have nice URLs using
## $conf['userewrite'] = 1 - not needed for rewrite mode 2
RewriteEngine on

RewriteRule ^_media/(.*)              lib/exe/fetch.php?media=$1  [QSA,L]
RewriteRule ^_detail/(.*)             lib/exe/detail.php?media=$1  [QSA,L]
RewriteRule ^_export/([^/]+)/(.*)     doku.php?do=export_$1&id=$2  [QSA,L]
RewriteRule ^$                        doku.php  [L]
RewriteCond %{REQUEST_FILENAME}       !-f
RewriteCond %{REQUEST_FILENAME}       !-d
RewriteRule (.*)                      doku.php?id=$1  [QSA,L]
RewriteRule ^index.php$               doku.php

## Not all installations will require the following line.  If you do,
## change "/dokuwiki" to the path to your dokuwiki directory relative
## to your document root.
RewriteBase /

#
## If you enable DokuWikis XML-RPC interface, you should consider to
## restrict access to it over HTTPS only! Uncomment the following two
## rules if your server setup allows HTTPS.
#RewriteCond %{HTTPS} !=on
#RewriteRule ^lib/exe/xmlrpc.php$      https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

I am using nginx+apache with plesk 12 on linux, on a shared web hosting solution. The wiki is located in a subdomain (root: /sub.domain.com).
Avatar
schplurtz (Moderator) #2
Member since Nov 2009 · 463 posts · Location: France, Finistère
Group memberships: Global Moderators, Members
Show profile · Link to this post
Hi,

Securing dokuwiki sensitive folders is handled by .htaccess files in data, bin, conf, vendor etc.. subdir. You did not change those files, that's good. As far as apache is concerned, if .htaccess files are allowed, your DW installation should be secured.

This brings the following questions :

Are you sure that .htaccess files are allowed by your configuration in these directories ?
Are you sure this is not nginx that serves the files ?

Schplurtz.
Avatar
turnermm (Moderator) #3
Member since Oct 2009 · 4690 posts · Location: Canada
Group memberships: Global Moderators, Members, Super Mods
Show profile · Link to this post
And if using apache, in your apache config file you must be sure to enable the use of .htacesss files:
<Directory "/your/html_directory">
    AllowOverride All
</Directory>
Myron Turner
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
Michaelsy #4
Member since Jun 2015 · 969 posts · Location: Düsseldorf, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post #1
Quote by astyl on 2019-01-15, 16:13:
So, if I keep .htaccess.dist name as is in the main folder, pages of the wiki (including logging out) return a 404 error,

I suspect the following cause:
If you deactivate your rewrite rules by renaming your ".htaccess" to ".htaccess.dist" you have to set also:
$conf['userewrite'] = 0
or
$conf['userewrite'] = 2

If this is set remaining:
$conf['userewrite'] = 1

you receive the 404 errors. Cause: The internal links are not created properly.

HTH - Michael Sy.
By Patreon.com a few eurons can be fed into the code phasers of
the DokuWiki engine. Besides, Andi's posts are worth reading.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-08-24, 02:16:59 (UTC +02:00)