security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
security [2014-09-20 15:23] – [DokuWiki Configuration Settings] 202.137.156.252 | security [2020-07-17 13:51] – [Move Directories out of DocRoot] andi | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | + | ====== Security | |
- | ====== Security ====== | + | |
DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | ||
- | DokuWiki is developed with security in mind. We try to find a balance between user friendliness and security, but favor security when no satisfying compromise can be found. | + | DokuWiki is developed with security in mind. We try to find a balance between user-friendliness and security but favor security when no satisfying compromise can be found. |
This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | ||
Line 34: | Line 33: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * '' | + | * <del>'' |
* '' | * '' | ||
+ | * '' | ||
To check if you need to adjust the access permissions try to access '' | To check if you need to adjust the access permissions try to access '' | ||
+ | |||
+ | (More about permissions - [[install: | ||
If your directories are not properly secured, read the following subsections on how to do that. | If your directories are not properly secured, read the following subsections on how to do that. | ||
+ | EDIT (2017-08-28): | ||
+ | |||
+ | EDIT (2017-09-26): | ||
+ | |||
+ | EDIT (2018-05-01): | ||
==== Deny Directory Access in Apache ==== | ==== Deny Directory Access in Apache ==== | ||
- | FIXME(Needs to be update for Apache 2.4) \\ | + | |
The simplest way is to enable '' | The simplest way is to enable '' | ||
- | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows: | + | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows |
< | < | ||
- | order allow,deny | + | < |
- | deny from all | + | |
+ | Deny from all | ||
+ | </ | ||
+ | < | ||
+ | Require all denied | ||
+ | </ | ||
</ | </ | ||
- | **Remark** : Using apache2 on Ubuntu, the .htaccess does not work until you activate the ' | + | **Remark**: Using apache2 on Ubuntu, the .htaccess does not work until you activate the ' |
It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | ||
- | In the /// | + | In the /// |
There you'll find: | There you'll find: | ||
Line 77: | Line 89: | ||
</ | </ | ||
</ | </ | ||
- | Default for AllowOverride in the < | + | Default for AllowOverride in the < |
/// | /// | ||
+ | |||
+ | : | ||
(See http:// | (See http:// | ||
[you can make this change also for the particular directory containing your DokuWiki installation, | [you can make this change also for the particular directory containing your DokuWiki installation, | ||
- | |||
---- | ---- | ||
Line 90: | Line 103: | ||
The other way is to use '' | The other way is to use '' | ||
< | < | ||
- | < | + | < |
Order allow,deny | Order allow,deny | ||
Deny from all | Deny from all | ||
Line 97: | Line 110: | ||
</ | </ | ||
- | //However see the "What to use When" section here [[http:// | + | //However see the "What to use When" section here [[http:// |
---- | ---- | ||
- | The above could cause a problem if you have another " | + | The above could cause a problem if you have another " |
You can avoid this problem by extending your LocationMatch within your wiki installation folder. | You can avoid this problem by extending your LocationMatch within your wiki installation folder. | ||
< | < | ||
Line 109: | Line 122: | ||
</ | </ | ||
- | < | + | < |
order allow,deny | order allow,deny | ||
deny from all | deny from all | ||
Line 116: | Line 129: | ||
</ | </ | ||
==== Deny Directory Access in IIS ==== | ==== Deny Directory Access in IIS ==== | ||
+ | |||
Access to the mentioned directories can be disabled in IIS' configuration settings. | Access to the mentioned directories can be disabled in IIS' configuration settings. | ||
- | In IIS8+ (Servers 2012 and 2012R2): | + | === In IIS 8+ === |
+ | |||
+ | (Windows 8(.1) and Servers 2012 and 2012R2): | ||
- select "IIS Request Filtering" | - select "IIS Request Filtering" | ||
- go to the " | - go to the " | ||
- | - click on "Allow URL" | ||
- | - enter "/ | ||
- click on "Deny Sequence..." | - click on "Deny Sequence..." | ||
- enter "/ | - enter "/ | ||
- | - Repeat the "Deny Sequence..." | + | - Repeat the "Deny Sequence..." |
- | {{http:// | ||
- | In IIS7: | + | === In IIS 7 === |
- select "IIS Request Filtering" | - select "IIS Request Filtering" | ||
Line 137: | Line 150: | ||
- enter "/ | - enter "/ | ||
- | | + | Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering" |
- | + | ||
- | Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering" | + | |
Also note: Ensure you enter "/ | Also note: Ensure you enter "/ | ||
- | **Alternatives for IIS 7+** | + | === Alternatives for IIS 7+ === |
If you can't access IIS configuration options (as in shared hosting sites), you can use one of the following methods | If you can't access IIS configuration options (as in shared hosting sites), you can use one of the following methods | ||
- | Alternative 1: | + | //Alternative 1:// |
You can place the following file in your dokuwiki root: | You can place the following file in your dokuwiki root: | ||
Line 160: | Line 171: | ||
< | < | ||
</ | </ | ||
- | < | ||
- | <add url="/ | ||
- | </ | ||
< | < | ||
<add sequence="/ | <add sequence="/ | ||
Line 168: | Line 176: | ||
<add sequence="/ | <add sequence="/ | ||
<add sequence="/ | <add sequence="/ | ||
+ | <add sequence="/ | ||
</ | </ | ||
</ | </ | ||
Line 176: | Line 185: | ||
</ | </ | ||
- | Alternative 2: | + | //Alternative 2:// |
You can put the following web.config file in the directories you have to protect. | You can put the following web.config file in the directories you have to protect. | ||
Line 184: | Line 193: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
<file xml web.config> | <file xml web.config> | ||
Line 197: | Line 207: | ||
</ | </ | ||
- | IIS 6.5 and below: | + | === IIS 6.5 and below === |
- Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services | - Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services | ||
Line 203: | Line 213: | ||
- Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | ||
- Choose "By default, all computers will be: Denied access" | - Choose "By default, all computers will be: Denied access" | ||
- | - Repeat this for /data/ /conf/ /bin/ and /inc/ directories | + | - Repeat this for /data/ /conf/ /bin/ /inc/ and /vendor/ directories |
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[http:// | + | Using a [[[[https:// |
+ | url.rewrite-once = ( " | ||
+ | Don't forget to uncomment | ||
+ | server.modules += ( | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | | ||
+ | ) | ||
+ | Unfortunately it does not keep people out who are using Vivaldi and probably other Chromium based browsers. When combined with “[[https://redmine.lighttpd.net/projects/lighttpd/ | ||
+ | In / | ||
< | < | ||
- | url.rewrite-once = ( " | + | $HTTP[" |
- | </ | + | url.access-deny = ("" |
- | + | ||
- | Or use ''//" | + | |
- | < | + | |
- | $HTTP[" | + | |
- | url.access-deny = ("" | + | |
} | } | ||
</ | </ | ||
+ | to / | ||
+ | \\ | ||
+ | Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd | ||
==== Deny Directory Access in Nginx ==== | ==== Deny Directory Access in Nginx ==== | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
In your nginx.conf file add the following location to prevent access to secure directories. | In your nginx.conf file add the following location to prevent access to secure directories. | ||
+ | |||
+ | //This instruction is slightly misleading. What you should actually edit is the / | ||
+ | //Or in the virtualhost where you are hosting dokuwiki// | ||
< | < | ||
- | location ~ / | + | location ~ / |
deny all; | deny all; | ||
} | } | ||
</ | </ | ||
- | Also disabling access to .htaccess files is recommended: | + | Note: if you are using [[config: |
< | < | ||
- | location ~ /\.ht { | + | location ~ /(conf|bin|inc|vendor)/ |
- | deny all; | + | deny all; |
+ | } | ||
+ | |||
+ | location ~ /data/ { | ||
+ | internal; | ||
} | } | ||
</ | </ | ||
- | (comment: nginx does not use htaccess files, so the above directive is meaningless) | ||
==== Deny Directory Access in Cherokee ==== | ==== Deny Directory Access in Cherokee ==== | ||
Line 244: | Line 268: | ||
then add a new " | then add a new " | ||
< | < | ||
- | / | + | / |
</ | </ | ||
Remember to set it as "NON FINAL", | Remember to set it as "NON FINAL", | ||
Line 250: | Line 274: | ||
Then go in " | Then go in " | ||
+ | ==== Deny Directory Access in Caddy ==== | ||
+ | Here is an example Caddyfile for a wiki served with [[https:// | ||
+ | < | ||
+ | wiki.example.com { | ||
+ | log / | ||
+ | root / | ||
+ | # Assuming install/ | ||
+ | # to listen on localhost: | ||
+ | fastcgi / 127.0.0.1: | ||
+ | # This block below sends an HTTP 401 message when | ||
+ | # a client attempts to access the secured directories. | ||
+ | status 401 { | ||
+ | /data | ||
+ | /conf | ||
+ | /bin | ||
+ | /inc | ||
+ | /vendor | ||
+ | } | ||
+ | } | ||
+ | </ | ||
Line 260: | Line 304: | ||
==== Move Directories out of DocRoot ==== | ==== Move Directories out of DocRoot ==== | ||
- | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " | + | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " |
**__WARNING: | **__WARNING: | ||
Line 314: | Line 358: | ||
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
+ | * [[config: | ||
===== Plugin Security ===== | ===== Plugin Security ===== | ||
Line 342: | Line 387: | ||
* {{http:// | * {{http:// | ||
* [[http:// | * [[http:// | ||
- | |||
- | ===== Additional Security Tools ===== | ||
- | |||
- | I've configure DokuWiki with ZBBlock: http:// | ||
- | Works great. Stops a lot of nasty attacks... | ||
- |
security.txt · Last modified: 2024-02-13 09:17 by 178.197.202.230