Securing a Dokuwiki installation

From ThinkServer
Revision as of 03:16, 1 March 2012 by >Samthecrazyman (Small format changes)

In order for the installation of Dokuwiki to be safe on the web, permissions need to be set up on the server so that only the files required are available from the web. This is basically how it works:

  • You give the local web user full access to the whole directory (wwwrun)
  • You then tell the web server not to allow access to certain folders from the web. The system can still access them.

This allows the web server to do what it wants in the local directories, but doesn't allow access to these directories from the web.

What you need to know

  • You'll need to know the directory path to the Dokuwiki installation (for example, /srv/www/htdocs/dokuwiki)
  • Access the YaST HTTP module. You may need to install the yast-http-server package.
  • It maybe a good idea to shut off the Apache server while you do this as you temporarily leave the installation open with full access while setting it up. The service will be restarted automatically after setting up the YaST options.

Changing the file permissions

  1. Open Dolphin to the folder containing your Dokuwiki installation (for example /srv/www/htdocs/). You should see your Dokuwiki folder.
  2. Right-click on the folder and select 'Properties'.
  3. Click on the 'Permissions' tab at the top.
  4. At the bottom of the box, there are two boxes, 'User' and 'Group'.
  5. In the 'User' box, replace the existing user with wwwrun.
  6. In the 'Group' box, replace the existing group with www.
  7. Tick the box underneath that says 'Apply changes to all sub-folders and their contents'.
  8. Click 'OK'. It may take a while for this operation to complete.

Disallowing access in Apache

Before starting this section, the yast-http-server package needs to be installed.

  1. Open YaST and click on HTTP Server.
  2. Select the 'Main host' tab. Click 'Add' on this tab.
  3. In the option box, type or select 'Directory' then click 'OK'. You may receive a warning at this point, it is OK to proceed.

Adding each entry to YaST

  • In the top box, you need to type one of the directories that need securing. There are 4 directories that need to be secured:
    • "/srv/www/htdocs/dokuwiki/data"
    • "/srv/www/htdocs/dokuwiki/conf"
    • "/srv/www/htdocs/dokuwiki/bin"
    • "/srv/www/htdocs/dokuwiki/inc"
  • Notice how the directory has to be typed from root. It must be in quote makes and must not have a / at the end as we are defining a folder for it to use.
  • When you have added the directory, you then need to click the 'Add' box.
  • Type or select in the option box Order then click 'OK'. You will then be presented with a drop-down menu. From the menu select allow,deny then click OK.
  • Click the 'Add' button again. This time in the option box, type or select Deny. Click 'OK'
  • In the option box type from all. Click OK
  • You should now see the following 2 entries:
    • Order allow,deny
    • Deny from all
  • Click OK. This will take you back to the 'Main host' screen. Click 'Add' and repeat these steps for any outstanding directories.
  • Once finished, click the 'Finish' button. This will restart Apache2 for you or start it if you stopped it before configuring.

Checking the Dokuwiki security

Login to your Dokuwiki page and then go to the Admin section. If your security settings are not right, a red box will be on the page explaining the situation. If the box is not there after doing these steps, your configuration is correct. You can also double check by trying to access http://localhost/dokuwiki/data/pages/wiki/dokuwiki.txt. If it throws up an error, the configuration is correct. If you can still read that page, the configuration is not correct.

If you think you have done it right and it still has a red box, try a cache refresh with 'Ctrl+F5' keys. Sometimes it gets stuck in the cache and you need to reload the latest page.

External Links

These are the official Dokuwiki pages on the security settings: