Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
securing wiki files on windows/apache
Avatar
sysbox27 #1
Member since Nov 2006 · 11 posts
Group memberships: Members
Show profile · Link to this post
Subject: securing wiki files on windows/apache
Hi,
I'm running apache as my webserver on a win2003 server to suit certain company policies. I have had a look at some of the security suggestions for dokuwiki, and maybe I don't fully understand the comments, but I haven't found a doc that explains how to lock down your wiki files from prying eyes.
I have deployed a basic ACL policy but I don't like the fact that user can if they so wish currently view the wiki directory structure and actually view files like doku.php as well as all the other files.

Can somebody please help explain how I can do this on win2003/apache platform so I can make my dokuwiki more secure?

Thanks.
Avatar
andi (Administrator) #2
User title: splitbrain
Member since May 2006 · 3450 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by sysbox27:
I'm running apache as my webserver on a win2003 server to suit certain company policies.

Apache is fine, then everything is secured by default. Please note we're talking about what you can access through the webserver. If your windows box exposes the filesystem through other means like the "network neighborhood" then its a completely different problem.

I have deployed a basic ACL policy but I don't like the fact that user can if they so wish currently view the wiki directory structure and actually view files like doku.php as well as all the other files.

Nobody can see the contents of doku.php because it's parsed by PHP and only the result is delivered to the user. The directory structure is protected by .htaccess files (make sure your apache honors them). Eg. it forbids accessing the data directory. You may also want to disable Apache's directory indexing. Refer to the Apache manual on how to do this.
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
sysbox27 #3
Member since Nov 2006 · 11 posts
Group memberships: Members
Show profile · Link to this post
Thanks for the response - I do appreciate it.

Does apache apply the .htaccess security you refer to by default? The .htaccess file looks ok, but when a user goes to the site, http://myservername.com/wikiroot/doku.php, if they want to they could just go to http://myservername.com/wikiroot and this will allow them to view all the files that make up my wiki. I want to prevent this - is that possible?
How do I get apache to honour the .htaccess that you mention?

Thanks again for the help!
Avatar
purplepaisley #4
Member since May 2006 · 142 posts · Location: UK
Group memberships: Members
Show profile · Link to this post
Hi,

Normally if a user goes to  http://myservername.com/wikiroot, it should load the index.php by default, is yours not there? If it is there, and is still displaying the directory contents, you should check your configuration to serve index.php if index.html is not present.

Hope that helps.
Avatar
sysbox27 #5
Member since Nov 2006 · 11 posts
Group memberships: Members
Show profile · Link to this post
Hello purplepaisley,
Ah, that's what was wrong. I needed to change config to load index.php as you suggested.
I did this the other day but forgot to respond to your suggestion, but thought I should do so now anyway as maybe somebody else has same problem and also benefits from it.
Thanks very much for the help.

Regards.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-07-23, 13:44:56 (UTC +02:00)