security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2014-02-04 13:13] – [Deny Directory Access in IIS] 79.11.255.18 | security [2018-05-01 14:25] – Security warning picture can be cached Gruven | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | + | ====== Security | |
- | ====== Security ====== | + | |
DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | ||
- | DokuWiki is developed with security in mind. We try to find a balance between user friendliness and security, but favor security when no satisfying compromise can be found. | + | DokuWiki is developed with security in mind. We try to find a balance between user-friendliness and security but favor security when no satisfying compromise can be found. |
This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | ||
Line 18: | Line 17: | ||
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | ||
- | All previous security issues can be seen in the [[http:// | + | All previous security issues can be seen in the [[http:// |
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | ||
Line 34: | Line 33: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * <del>'' |
* '' | * '' | ||
To check if you need to adjust the access permissions try to access '' | To check if you need to adjust the access permissions try to access '' | ||
+ | |||
+ | (More about permissions - [[install: | ||
If your directories are not properly secured, read the following subsections on how to do that. | If your directories are not properly secured, read the following subsections on how to do that. | ||
- | ==== Deny Directory Access in Apache ==== | + | EDIT (2017-08-28): |
+ | |||
+ | EDIT (2017-09-26): | ||
+ | |||
+ | EDIT (2018-05-01): | ||
+ | ==== Deny Directory Access in Apache ==== | ||
The simplest way is to enable '' | The simplest way is to enable '' | ||
- | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows: | + | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows |
< | < | ||
- | order allow,deny | + | < |
- | deny from all | + | |
+ | Deny from all | ||
+ | </ | ||
+ | < | ||
+ | Require all denied | ||
+ | </ | ||
</ | </ | ||
Line 56: | Line 67: | ||
It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | ||
- | In the /// | + | In the /// |
There you'll find: | There you'll find: | ||
Line 77: | Line 88: | ||
</ | </ | ||
</ | </ | ||
- | Default for AllowOverride in the < | + | Default for AllowOverride in the < |
/// | /// | ||
+ | |||
+ | : | ||
(See http:// | (See http:// | ||
[you can make this change also for the particular directory containing your DokuWiki installation, | [you can make this change also for the particular directory containing your DokuWiki installation, | ||
- | |||
---- | ---- | ||
Line 97: | Line 109: | ||
</ | </ | ||
- | //However see the "What to use When" section here [[http:// | + | //However see the "What to use When" section here [[http:// |
---- | ---- | ||
- | The above could cause a problem if you have another " | + | The above could cause a problem if you have another " |
You can avoid this problem by extending your LocationMatch within your wiki installation folder. | You can avoid this problem by extending your LocationMatch within your wiki installation folder. | ||
< | < | ||
Line 109: | Line 121: | ||
</ | </ | ||
- | < | + | < |
order allow,deny | order allow,deny | ||
deny from all | deny from all | ||
Line 119: | Line 131: | ||
Access to the mentioned directories can be disabled in IIS' configuration settings. | Access to the mentioned directories can be disabled in IIS' configuration settings. | ||
- | - Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services | + | === In IIS 8+ === |
- | - Navigate to the directory you want to protect: Local Computer -> Web Sites -> Default Web Site → //path to directory// | + | |
- | - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | + | |
- | - Choose "By default, all computers will be: Denied access" | + | |
+ | (Windows 8(.1) and Servers 2012 and 2012R2): | ||
- | In IIS7: | + | - select "IIS Request Filtering" |
+ | - go to the " | ||
+ | - click on "Deny Sequence..." | ||
+ | - enter "/ | ||
+ | - Repeat the "Deny Sequence..." | ||
+ | |||
+ | |||
+ | === In IIS 7 === | ||
- select "IIS Request Filtering" | - select "IIS Request Filtering" | ||
Line 132: | Line 149: | ||
- enter "/ | - enter "/ | ||
- | | + | Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering" |
- | + | ||
- | Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering" | + | |
Also note: Ensure you enter "/ | Also note: Ensure you enter "/ | ||
- | **Alternative** | + | === Alternatives for IIS 7+ === |
+ | |||
+ | If you can't access IIS configuration options (as in shared hosting sites), you can use one of the following methods | ||
+ | |||
+ | //Alternative | ||
+ | |||
+ | You can place the following file in your dokuwiki root: | ||
+ | |||
+ | <file xml web.config> | ||
+ | |||
+ | <?xml version=" | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | <add sequence="/ | ||
+ | <add sequence="/ | ||
+ | <add sequence="/ | ||
+ | <add sequence="/ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | // | ||
- | If you can't access IIS configuration options (as in shared hosting sites), you can put the following web.config file in the directories you have to protect. | + | You can put the following web.config file in the directories you have to protect. |
* '' | * '' | ||
Line 158: | Line 203: | ||
</ | </ | ||
+ | |||
+ | === IIS 6.5 and below === | ||
+ | |||
+ | - Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services | ||
+ | - Navigate to the directory you want to protect: Local Computer -> Web Sites -> Default Web Site → //path to directory// | ||
+ | - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | ||
+ | - Choose "By default, all computers will be: Denied access" | ||
+ | - Repeat this for /data/ /conf/ /bin/ and /inc/ directories | ||
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[http:// | + | Using a [[http:// |
< | < | ||
url.rewrite-once = ( " | url.rewrite-once = ( " | ||
Line 172: | Line 225: | ||
} | } | ||
</ | </ | ||
+ | |||
==== Deny Directory Access in Nginx ==== | ==== Deny Directory Access in Nginx ==== | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
In your nginx.conf file add the following location to prevent access to secure directories. | In your nginx.conf file add the following location to prevent access to secure directories. | ||
+ | |||
+ | //This instruction is slightly misleading. What you should actually edit is the / | ||
+ | //Or in the virtualhost where you are hosting dokuwiki// | ||
< | < | ||
Line 183: | Line 240: | ||
</ | </ | ||
- | Also disabling access to .htaccess files is recommended: | + | Note: if you are using [[config: |
< | < | ||
- | location ~ /\.ht { | + | location ~ /(conf|bin|inc)/ |
- | deny all; | + | deny all; |
+ | } | ||
+ | |||
+ | location ~ /data/ { | ||
+ | internal; | ||
} | } | ||
</ | </ | ||
- | (comment: nginx does not use htaccess files, so the above directive is meaningless) | ||
==== Deny Directory Access in Cherokee ==== | ==== Deny Directory Access in Cherokee ==== | ||
It is relatively easy to forbid access to those directories using Cherokee. In cherokee-admin, | It is relatively easy to forbid access to those directories using Cherokee. In cherokee-admin, | ||
- | then add a new " | + | then add a new " |
< | < | ||
/ | / | ||
</ | </ | ||
+ | Remember to set it as "NON FINAL", | ||
Then go in " | Then go in " | ||
+ | ==== Deny Directory Access in Caddy ==== | ||
+ | Here is an example Caddyfile for a wiki served with [[https:// | ||
+ | < | ||
+ | wiki.example.com { | ||
+ | log / | ||
+ | root / | ||
+ | # Assuming install/ | ||
+ | # to listen on localhost: | ||
+ | fastcgi / 127.0.0.1: | ||
+ | # This block below sends an HTTP 401 message when | ||
+ | # a client attempts to access the secured directories. | ||
+ | status 401 { | ||
+ | /data | ||
+ | /conf | ||
+ | /bin | ||
+ | /inc | ||
+ | } | ||
+ | } | ||
+ | </ | ||
Line 252: | Line 332: | ||
===== DokuWiki Configuration Settings ===== | ===== DokuWiki Configuration Settings ===== | ||
- | DokuWiki contains several configuration settings that have an impact on various security | + | DokuWiki contains several configuration settings that have an impact on various security |
* [[config: | * [[config: | ||
Line 267: | Line 347: | ||
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
+ | * [[config: | ||
===== Plugin Security ===== | ===== Plugin Security ===== | ||
Line 295: | Line 376: | ||
* {{http:// | * {{http:// | ||
* [[http:// | * [[http:// | ||
- | |||
- | ===== Additional Security Tools ===== | ||
- | |||
- | I've configure DokuWiki with ZBBlock: http:// | ||
- | Works great. Stops a lot of nasty attacks... | ||
- |
security.txt · Last modified: 2024-02-13 09:17 by 178.197.202.230