security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
security [2017-09-26 22:22] – [Web Access Security] 37.132.166.10 | security [2024-02-13 09:17] (current) – undo 178.197.202.230 | ||
---|---|---|---|
Line 11: | Line 11: | ||
When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | ||
+ | * Report through [[https:// | ||
* Submit a [[bugs|bug report]] | * Submit a [[bugs|bug report]] | ||
* Send a mail to the [[mailinglist]] | * Send a mail to the [[mailinglist]] | ||
Line 17: | Line 18: | ||
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | ||
- | All previous | + | Previous |
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | ||
Line 33: | Line 34: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * <del>'' | + | * '' |
* '' | * '' | ||
+ | * '' | ||
- | To check if you need to adjust the access permissions try to access '' | + | To check if you need to adjust the access permissions try to access '' |
- | (More about permissions - [[install: | + | Please note that this has nothing to do with [[install: |
If your directories are not properly secured, read the following subsections on how to do that. | If your directories are not properly secured, read the following subsections on how to do that. | ||
- | EDIT (2017-08-28): | ||
- | EDIT(2017-09-26): | ||
==== Deny Directory Access in Apache ==== | ==== Deny Directory Access in Apache ==== | ||
The simplest way is to enable '' | The simplest way is to enable '' | ||
- | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4): | + | DokuWiki already comes with correctly configured |
< | < | ||
Line 61: | Line 61: | ||
</ | </ | ||
- | **Remark** : Using apache2 on Ubuntu, the .htaccess | + | Please note that many distributions have .htaccess |
- | It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | + | Check this [[https:// |
- | In the ///etc/apache2/sites-available// (or you need to modify | + | Alternatively you can use the [[https://httpd.apache.org/docs/current/mod/core.html# |
- | + | ||
- | There you'll find: | + | |
< | < | ||
- | NameVirtualHost * | + | < |
- | < | + | |
- | ServerAdmin admin@site.com | + | |
- | + | ||
- | DocumentRoot /var/www/ | + | |
- | < | + | |
- | Options FollowSymLinks | + | |
- | AllowOverride None | + | |
- | </ | + | |
- | < | + | |
- | Options Indexes FollowSymLinks MultiViews | + | |
- | AllowOverride none | + | |
- | Order allow, | + | |
- | allow from all | + | |
- | </ | + | |
- | </ | + | |
- | Default for AllowOverride in the < | + | |
- | + | ||
- | /// | + | |
- | + | ||
- | : | + | |
- | + | ||
- | (See http:// | + | |
- | + | ||
- | [you can make this change also for the particular directory containing your DokuWiki installation, | + | |
- | + | ||
- | ---- | + | |
- | + | ||
- | The other way is to use '' | + | |
- | < | + | |
- | < | + | |
Order allow,deny | Order allow,deny | ||
Deny from all | Deny from all | ||
Line 107: | Line 75: | ||
</ | </ | ||
- | //However see the "What to use When" section here [[http:// | ||
- | |||
- | ---- | ||
- | |||
- | The above could cause a problem if you have another " | ||
- | You can avoid this problem by extending your LocationMatch within your wiki installation folder. | ||
- | < | ||
- | < | ||
- | order deny,allow | ||
- | allow from all | ||
- | </ | ||
- | |||
- | < | ||
- | order allow,deny | ||
- | deny from all | ||
- | satisfy all | ||
- | </ | ||
- | </ | ||
==== Deny Directory Access in IIS ==== | ==== Deny Directory Access in IIS ==== | ||
Line 137: | Line 87: | ||
- click on "Deny Sequence..." | - click on "Deny Sequence..." | ||
- enter "/ | - enter "/ | ||
- | - Repeat the "Deny Sequence..." | + | - Repeat the "Deny Sequence..." |
Line 173: | Line 123: | ||
<add sequence="/ | <add sequence="/ | ||
<add sequence="/ | <add sequence="/ | ||
+ | <add sequence="/ | ||
</ | </ | ||
</ | </ | ||
Line 189: | Line 140: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
<file xml web.config> | <file xml web.config> | ||
Line 208: | Line 160: | ||
- Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | ||
- Choose "By default, all computers will be: Denied access" | - Choose "By default, all computers will be: Denied access" | ||
- | - Repeat this for /data/ /conf/ /bin/ and /inc/ directories | + | - Repeat this for /data/ /conf/ /bin/ /inc/ and /vendor/ directories |
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[http:// | + | Using a [[https:// |
+ | url.rewrite-once = ( " | ||
+ | Don't forget to uncomment or add “mod_rewrite” in the server.modules section of / | ||
+ | server.modules += ( | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | ) | ||
+ | Unfortunately it does not keep people | ||
+ | In /etc/lighttpd/ | ||
< | < | ||
- | url.rewrite-once = ( " | + | $HTTP[" |
- | </ | + | url.access-deny = ("" |
- | + | ||
- | Or use ''//" | + | |
- | < | + | |
- | $HTTP[" | + | |
- | url.access-deny = ("" | + | |
} | } | ||
</ | </ | ||
+ | to / | ||
+ | \\ | ||
+ | Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd | ||
==== Deny Directory Access in Nginx ==== | ==== Deny Directory Access in Nginx ==== | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
- | In your nginx.conf file add the following location to prevent access to secure directories. | + | In your host configuration file (for example, / |
- | //This instruction | + | :!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]])) |
- | //Or in the virtualhost where you are hosting dokuwiki// | + | |
< | < | ||
- | location ~ / | + | location ~ / |
deny all; | deny all; | ||
} | } | ||
Line 241: | Line 199: | ||
< | < | ||
- | location ~ / | + | location ~ / |
deny all; | deny all; | ||
} | } | ||
Line 256: | Line 214: | ||
then add a new " | then add a new " | ||
< | < | ||
- | / | + | / |
</ | </ | ||
Remember to set it as "NON FINAL", | Remember to set it as "NON FINAL", | ||
Line 278: | Line 236: | ||
/bin | /bin | ||
/inc | /inc | ||
+ | /vendor | ||
} | } | ||
} | } | ||
</ | </ | ||
- | |||
- | |||
- | ==== Rename data Directory ==== | ||
- | |||
- | Securing the '' | ||
- | |||
- | To do so, rename your data directory to something cryptic (eg. a long row of letters and numbers) and reconfigure your [[config: | ||
==== Move Directories out of DocRoot ==== | ==== Move Directories out of DocRoot ==== | ||
- | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " | + | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " |
**__WARNING: | **__WARNING: | ||
Line 307: | Line 259: | ||
- Move the '' | - Move the '' | ||
- | - Create a file named preload.php inside the '' | + | - Create a file named '' |
For example, if the '' | For example, if the '' | ||
Line 337: | Line 289: | ||
* [[config: | * [[config: | ||
* all [[auth|authentication settings]] | * all [[auth|authentication settings]] | ||
- | * [[config: | + | * [[config: |
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
Line 355: | Line 307: | ||
* If you can, review the plugin source code yourself, //before// installing it. | * If you can, review the plugin source code yourself, //before// installing it. | ||
* If in doubt, ask on the [[mailinglist|mailing list]]. | * If in doubt, ask on the [[mailinglist|mailing list]]. | ||
- | * Plugins are installed under the DokuWiki '' | + | * Plugins are installed under the DokuWiki '' |
* Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | ||
* Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | ||
+ | * If in doubt, let plugins be reviewed by a professional first. See [[faq: | ||
See also: [[devel: | See also: [[devel: | ||
Line 372: | Line 325: | ||
* [[install: | * [[install: | ||
* [[tips: | * [[tips: | ||
- | * {{http:// | + | * [[https:// |
- | * [[http:// | + |
security.1506457335.txt.gz · Last modified: 2017-09-26 22:22 by 37.132.166.10