security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
security [2020-03-02 17:15] – Aleksandr | security [2024-02-13 09:17] (current) – undo 178.197.202.230 | ||
---|---|---|---|
Line 11: | Line 11: | ||
When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | ||
+ | * Report through [[https:// | ||
* Submit a [[bugs|bug report]] | * Submit a [[bugs|bug report]] | ||
* Send a mail to the [[mailinglist]] | * Send a mail to the [[mailinglist]] | ||
Line 17: | Line 18: | ||
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | ||
- | All previous | + | Previous |
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | ||
Line 33: | Line 34: | ||
* '' | * '' | ||
* '' | * '' | ||
- | * <del>'' | + | * '' |
* '' | * '' | ||
* '' | * '' | ||
- | To check if you need to adjust the access permissions try to access '' | + | To check if you need to adjust the access permissions try to access '' |
- | (More about permissions - [[install: | + | Please note that this has nothing to do with [[install: |
If your directories are not properly secured, read the following subsections on how to do that. | If your directories are not properly secured, read the following subsections on how to do that. | ||
- | EDIT (2017-08-28): | ||
- | |||
- | EDIT (2017-09-26): | ||
- | EDIT (2018-05-01): | ||
==== Deny Directory Access in Apache ==== | ==== Deny Directory Access in Apache ==== | ||
The simplest way is to enable '' | The simplest way is to enable '' | ||
- | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4): | + | DokuWiki already comes with correctly configured |
< | < | ||
Line 64: | Line 61: | ||
</ | </ | ||
- | **Remark**: Using apache2 on Ubuntu, the .htaccess | + | Please note that many distributions have .htaccess |
- | It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | + | Check this [[https:// |
- | In the ///etc/apache2/sites-available// (or you need to modify | + | Alternatively you can use the [[https://httpd.apache.org/docs/current/mod/core.html# |
- | + | ||
- | There you'll find: | + | |
- | < | ||
- | NameVirtualHost * | ||
- | < | ||
- | ServerAdmin admin@site.com | ||
- | |||
- | DocumentRoot /var/www/ | ||
- | < | ||
- | Options FollowSymLinks | ||
- | AllowOverride None | ||
- | </ | ||
- | < | ||
- | Options Indexes FollowSymLinks MultiViews | ||
- | AllowOverride none | ||
- | Order allow,deny | ||
- | allow from all | ||
- | </ | ||
- | </ | ||
- | Default for AllowOverride in the < | ||
- | |||
- | /// | ||
- | |||
- | : | ||
- | |||
- | (See http:// | ||
- | |||
- | [you can make this change also for the particular directory containing your DokuWiki installation, | ||
- | |||
- | ---- | ||
- | |||
- | The other way is to use '' | ||
< | < | ||
< | < | ||
Line 110: | Line 75: | ||
</ | </ | ||
- | //However see the "What to use When" section here [[http:// | ||
- | |||
- | ---- | ||
- | |||
- | The above could cause a problem if you have another " | ||
- | You can avoid this problem by extending your LocationMatch within your wiki installation folder. | ||
- | < | ||
- | < | ||
- | order deny,allow | ||
- | allow from all | ||
- | </ | ||
- | |||
- | < | ||
- | order allow,deny | ||
- | deny from all | ||
- | satisfy all | ||
- | </ | ||
- | </ | ||
==== Deny Directory Access in IIS ==== | ==== Deny Directory Access in IIS ==== | ||
Line 217: | Line 164: | ||
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[http:// | + | Using a [[https:// |
+ | url.rewrite-once = ( " | ||
+ | Don't forget to uncomment or add “mod_rewrite” in the server.modules section of / | ||
+ | server.modules += ( | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | ) | ||
+ | Unfortunately it does not keep people | ||
+ | In /etc/lighttpd/ | ||
< | < | ||
- | url.rewrite-once = ( " | + | $HTTP[" |
- | </ | + | url.access-deny = ("" |
- | + | ||
- | Or use ''//" | + | |
- | < | + | |
- | $HTTP[" | + | |
- | url.access-deny = ("" | + | |
} | } | ||
</ | </ | ||
+ | to / | ||
+ | \\ | ||
+ | Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd | ||
==== Deny Directory Access in Nginx ==== | ==== Deny Directory Access in Nginx ==== | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
- | In your nginx.conf file add the following location to prevent access to secure directories. | + | In your host configuration file (for example, / |
- | //This instruction | + | :!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]])) |
- | //Or in the virtualhost where you are hosting dokuwiki// | + | |
< | < | ||
Line 287: | Line 240: | ||
} | } | ||
</ | </ | ||
- | |||
- | |||
- | ==== Rename data Directory ==== | ||
- | |||
- | Securing the '' | ||
- | |||
- | To do so, rename your data directory to something cryptic (eg. a long row of letters and numbers) and reconfigure your [[config: | ||
==== Move Directories out of DocRoot ==== | ==== Move Directories out of DocRoot ==== | ||
- | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " | + | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " |
**__WARNING: | **__WARNING: | ||
Line 313: | Line 259: | ||
- Move the '' | - Move the '' | ||
- | - Create a file named preload.php inside the '' | + | - Create a file named '' |
For example, if the '' | For example, if the '' | ||
Line 343: | Line 289: | ||
* [[config: | * [[config: | ||
* all [[auth|authentication settings]] | * all [[auth|authentication settings]] | ||
- | * [[config: | + | * [[config: |
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
Line 361: | Line 307: | ||
* If you can, review the plugin source code yourself, //before// installing it. | * If you can, review the plugin source code yourself, //before// installing it. | ||
* If in doubt, ask on the [[mailinglist|mailing list]]. | * If in doubt, ask on the [[mailinglist|mailing list]]. | ||
- | * Plugins are installed under the DokuWiki '' | + | * Plugins are installed under the DokuWiki '' |
* Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | ||
* Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | ||
+ | * If in doubt, let plugins be reviewed by a professional first. See [[faq: | ||
See also: [[devel: | See also: [[devel: | ||
Line 378: | Line 325: | ||
* [[install: | * [[install: | ||
* [[tips: | * [[tips: | ||
- | * {{http:// | + | * [[https:// |
- | * [[http:// | + |
security.1583165741.txt.gz · Last modified: 2020-03-02 17:15 by Aleksandr