Dokuwiki: hide directorys

Issues related to applications and software problems
Post Reply
andreas_reschke
Posts: 3
Joined: 2014/10/15 13:03:11

Dokuwiki: hide directorys

Post by andreas_reschke » 2014/10/15 14:14:05

Hi there,
I've installed a webserver (CentOS7) with the newst dokuwiki. Next step is to secure the installation (https://www.dokuwiki.org/security#web_access_security)

My changes:
in /etc/httpd/conf/httpd.conf

Code: Select all

Include vhost.d/*.conf
and the vhost.d/dokuwiki.conf

Code: Select all

[root@webserver ~]# cat /etc/httpd/vhost.d/dokuwiki.conf
<VirtualHost 192.168.2.10:80>
ServerAdmin postmaster@firma.local
ServerName dokuwiki.firma.local
DocumentRoot /var/www/html/dokuwiki
<Directory /var/www/html/dokuwiki>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_rewrite.c>
Options +FollowSymLinks
## $conf['userewrite'] = 1 - not needed for rewrite mode 2
RewriteEngine on
## Not all installations will require the following line. If you do,
## change "/dokuwiki" to the path to your dokuwiki directory relative
## to your document root.
#RewriteBase /dokuwiki
RewriteRule ^_media/(.*) lib/exe/fetch.php?media=$1 [QSA,L]
RewriteRule ^_detail/(.*) lib/exe/detail.php?media=$1 [QSA,L]
RewriteRule ^_export/([^/]+)/(.*) doku.php?do=export_$1&id=$2 [QSA,L]
RewriteRule ^$ doku.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) doku.php?id=$1 [QSA,L]
RewriteRule ^index.php$ doku.php
</IfModule>
</Directory>
<Directory ~ /var/www/html/dokuwiki/(conf|inc|bin|data)>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
</VirtualHost>
[root@webserver ~]# 
I wonder why the access to http://yourserver.com/dokuwiki/data/pag ... kuwiki.txt is not denied.

Where is my mistake?

Thanks
Andreas

aks
Posts: 2999
Joined: 2014/09/20 11:22:14

Re: Dokuwiki: hide directorys

Post by aks » 2014/10/15 16:34:41

1) Check SELinux labelling on you vhost files (by default it should be okay but you don't say how you created them).
2) Have you got the .httaccess file in the right place - I don't see it in your config, but then I could just be blind.
3) Do you get an authentication dialogue when accessing?
4) Also you don't have a deny - just an allow all?

The docs for your chosen authenication module are here: http://httpd.apache.org/docs/trunk/mod/ ... _core.html

Regards

andreas_reschke
Posts: 3
Joined: 2014/10/15 13:03:11

Re: Dokuwiki: hide directorys

Post by andreas_reschke » 2014/10/16 08:39:14

aks wrote:1) Check SELinux labelling on you vhost files (by default it should be okay but you don't say how you created them).
2) Have you got the .httaccess file in the right place - I don't see it in your config, but then I could just be blind.
3) Do you get an authentication dialogue when accessing?
4) Also you don't have a deny - just an allow all?

The docs for your chosen authenication module are here: http://httpd.apache.org/docs/trunk/mod/ ... _core.html

Regards
1)
I've just extract the tar-file to that place

Code: Select all

[root@webserver ~]# ls -Z /var/www/vhosts/dokuwiki/index.php
-rw-rw-r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/vhosts/dokuwiki/index.php
[root@webserver ~]#
2)
Yes, .htaccess is there, but the apache doku says:
You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block, as it will have the same effect with better performance.

Code: Select all

[root@webserver ~]# ls -Z /var/www/vhosts/dokuwiki/.htaccess
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/vhosts/dokuwiki/.htaccess
[root@webserver ~]# 
3)
No, I don't want a authentication dialogue, it is public wiki for dokumentation our work.
4)
No, you're wrong

Code: Select all

<Directory ~ /var/www/html/dokuwiki/(conf|inc|bin|data)>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
Thanks
Andreas

aks
Posts: 2999
Joined: 2014/09/20 11:22:14

Re: Dokuwiki: hide directorys

Post by aks » 2014/10/16 17:56:36

Okay so you don't get a login so the whole authentication thing is not working. Why would using a htaccess file slow stuff down? Sure it's a file, so an extra get over the SCSI subsystem but surely that applies to any authentication system?

Clearly Apache is not "seeing" that section of the website as a section that requires authentication (you don't get a login box). I suggest reading the documentation I linked to - you'll get there. Post back if you have specific questions.

Regards

andreas_reschke
Posts: 3
Joined: 2014/10/15 13:03:11

Re: Dokuwiki: hide directorys

Post by andreas_reschke » 2014/10/20 07:55:57

aks wrote:Okay so you don't get a login so the whole authentication thing is not working. Why would using a htaccess file slow stuff down? Sure it's a file, so an extra get over the SCSI subsystem but surely that applies to any authentication system?

Clearly Apache is not "seeing" that section of the website as a section that requires authentication (you don't get a login box). I suggest reading the documentation I linked to - you'll get there. Post back if you have specific questions.

Regards
Hi aks,
so I did a clean installation, moved the files from /var/www/html/ to the proper directory under /var/www/vhosts/vhost1/ and modify all vhosts.conf to

Code: Select all

<VirtualHost 192.168.2.11:80>
        ServerAdmin postmaster@firma.net
        ServerName vhost1.firma.net
        DocumentRoot /var/www/vhosts/vhost1
<Directory ~ /var/www/vhosts/vhost1/(conf|inc|bin|data)>
        # Apache 2.4
        Require all denied
</Directory>
</VirtualHost> 
Now, everything works fine, all 4 subdomains are working and the access to the forbidden directorys are denied.

Thank you for your hints.
Andreas

Next step is to redirect all acces form http to https, but this is another part.

Post Reply

Return to “CentOS 7 - Software Support”