security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
security [2015-09-05 21:15] – 109.110.43.6 | security [2024-06-12 10:43] (current) – old revision restored (2024-01-30 09:23) saggi | ||
---|---|---|---|
Line 3: | Line 3: | ||
DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. | ||
- | DokuWiki is developed with security in mind. We try to find a balance between user friendliness and security, but favor security when no satisfying compromise can be found. | + | DokuWiki is developed with security in mind. We try to find a balance between user-friendliness and security but favor security when no satisfying compromise can be found. |
This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. | ||
Line 11: | Line 11: | ||
When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | ||
+ | * Report through [[https:// | ||
* Submit a [[bugs|bug report]] | * Submit a [[bugs|bug report]] | ||
* Send a mail to the [[mailinglist]] | * Send a mail to the [[mailinglist]] | ||
Line 17: | Line 18: | ||
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | ||
- | All previous | + | Previous |
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | ||
Line 35: | Line 36: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
- | To check if you need to adjust the access permissions try to access '' | + | To check if you need to adjust the access permissions try to access '' |
+ | |||
+ | Please note that this has nothing to do with [[install: | ||
If your directories are not properly secured, read the following subsections on how to do that. | If your directories are not properly secured, read the following subsections on how to do that. | ||
+ | |||
==== Deny Directory Access in Apache ==== | ==== Deny Directory Access in Apache ==== | ||
Line 44: | Line 49: | ||
The simplest way is to enable '' | The simplest way is to enable '' | ||
- | DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4): | + | DokuWiki already comes with correctly configured |
< | < | ||
Line 56: | Line 61: | ||
</ | </ | ||
- | **Remark** : Using apache2 on Ubuntu, the .htaccess | + | Please note that many distributions have .htaccess |
- | It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. | + | Check this [[https:// |
- | In the ///etc/apache2/ | + | Alternatively you can use the [[https://httpd.apache.org/docs/current/mod/core.html# |
- | + | ||
- | There you'll find: | + | |
< | < | ||
- | NameVirtualHost * | + | < |
- | < | + | |
- | ServerAdmin admin@site.com | + | |
- | + | ||
- | DocumentRoot /var/www/ | + | |
- | < | + | |
- | Options FollowSymLinks | + | |
- | AllowOverride None | + | |
- | </ | + | |
- | < | + | |
- | Options Indexes FollowSymLinks MultiViews | + | |
- | AllowOverride none | + | |
- | Order allow, | + | |
- | allow from all | + | |
- | </ | + | |
- | </ | + | |
- | Default for AllowOverride in the < | + | |
- | + | ||
- | /// | + | |
- | + | ||
- | (See http:// | + | |
- | + | ||
- | [you can make this change also for the particular directory containing your DokuWiki installation, | + | |
- | + | ||
- | ---- | + | |
- | + | ||
- | The other way is to use '' | + | |
- | < | + | |
- | < | + | |
Order allow,deny | Order allow,deny | ||
Deny from all | Deny from all | ||
Satisfy All | Satisfy All | ||
</ | </ | ||
- | </ | ||
- | |||
- | //However see the "What to use When" section here [[http:// | ||
- | |||
- | ---- | ||
- | |||
- | The above could cause a problem if you have another " | ||
- | You can avoid this problem by extending your LocationMatch within your wiki installation folder. | ||
- | < | ||
- | < | ||
- | order deny,allow | ||
- | allow from all | ||
- | </ | ||
- | |||
- | < | ||
- | order allow,deny | ||
- | deny from all | ||
- | satisfy all | ||
- | </ | ||
</ | </ | ||
Line 131: | Line 87: | ||
- click on "Deny Sequence..." | - click on "Deny Sequence..." | ||
- enter "/ | - enter "/ | ||
- | - Repeat the "Deny Sequence..." | + | - Repeat the "Deny Sequence..." |
Line 167: | Line 123: | ||
<add sequence="/ | <add sequence="/ | ||
<add sequence="/ | <add sequence="/ | ||
+ | <add sequence="/ | ||
</ | </ | ||
</ | </ | ||
Line 183: | Line 140: | ||
* '' | * '' | ||
* '' | * '' | ||
+ | * '' | ||
<file xml web.config> | <file xml web.config> | ||
Line 202: | Line 160: | ||
- Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... | ||
- Choose "By default, all computers will be: Denied access" | - Choose "By default, all computers will be: Denied access" | ||
- | - Repeat this for /data/ /conf/ /bin/ and /inc/ directories | + | - Repeat this for /data/ /conf/ /bin/ /inc/ and /vendor/ directories |
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[http:// | + | Using a [[https:// |
+ | url.rewrite-once = ( " | ||
+ | Don't forget to uncomment | ||
+ | server.modules += ( | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | | ||
+ | ) | ||
+ | Unfortunately it does not keep people out who are using Vivaldi and probably other Chromium based browsers. When combined with “[[https://redmine.lighttpd.net/projects/lighttpd/ | ||
+ | In / | ||
< | < | ||
- | url.rewrite-once = ( " | + | $HTTP[" |
- | </ | + | url.access-deny = ("" |
- | + | ||
- | Or use ''//" | + | |
- | < | + | |
- | $HTTP[" | + | |
- | url.access-deny = ("" | + | |
} | } | ||
</ | </ | ||
+ | to / | ||
+ | \\ | ||
+ | Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd | ||
==== Deny Directory Access in Nginx ==== | ==== Deny Directory Access in Nginx ==== | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
- | In your nginx.conf file add the following location to prevent access to secure directories. | + | In your host configuration file (for example, / |
- | //This instruction | + | :!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/ |
< | < | ||
- | location ~ / | + | location ~ / |
deny all; | deny all; | ||
} | } | ||
Line 234: | Line 199: | ||
< | < | ||
- | location ~ / | + | location ~ / |
deny all; | deny all; | ||
} | } | ||
| | ||
- | location /data/ { | + | location |
internal; | internal; | ||
} | } | ||
</ | </ | ||
- | |||
- | Also disabling access to .htaccess files is recommended: | ||
- | |||
- | < | ||
- | location ~ /\.ht { | ||
- | deny all; | ||
- | } | ||
- | </ | ||
- | |||
- | (comment: nginx does not use htaccess files, so the above directive is meaningless) | ||
==== Deny Directory Access in Cherokee ==== | ==== Deny Directory Access in Cherokee ==== | ||
Line 259: | Line 214: | ||
then add a new " | then add a new " | ||
< | < | ||
- | / | + | / |
</ | </ | ||
Remember to set it as "NON FINAL", | Remember to set it as "NON FINAL", | ||
Line 265: | Line 220: | ||
Then go in " | Then go in " | ||
- | ==== Rename data Directory ==== | + | ==== Deny Directory |
- | + | Here is an example Caddyfile for a wiki served with [[https:// | |
- | Securing the '' | + | < |
- | + | wiki.example.com { | |
- | To do so, rename your data directory to something cryptic (eg. a long row of letters and numbers) and reconfigure your [[config: | + | log / |
+ | root / | ||
+ | # Assuming install/ | ||
+ | # to listen on localhost: | ||
+ | fastcgi / 127.0.0.1: | ||
+ | # This block below sends an HTTP 401 message when | ||
+ | # a client attempts | ||
+ | status 401 { | ||
+ | /data | ||
+ | /conf | ||
+ | /bin | ||
+ | /inc | ||
+ | /vendor | ||
+ | } | ||
+ | } | ||
+ | </ | ||
==== Move Directories out of DocRoot ==== | ==== Move Directories out of DocRoot ==== | ||
- | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " | + | The most secure way to avoid any access to the mentioned directories is to move them outside the so called " |
**__WARNING: | **__WARNING: | ||
Line 289: | Line 259: | ||
- Move the '' | - Move the '' | ||
- | - Create a file named preload.php inside the '' | + | - Create a file named '' |
For example, if the '' | For example, if the '' | ||
Line 319: | Line 289: | ||
* [[config: | * [[config: | ||
* all [[auth|authentication settings]] | * all [[auth|authentication settings]] | ||
- | * [[config: | + | * [[config: |
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
Line 327: | Line 297: | ||
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
+ | * [[config: | ||
===== Plugin Security ===== | ===== Plugin Security ===== | ||
Line 336: | Line 307: | ||
* If you can, review the plugin source code yourself, //before// installing it. | * If you can, review the plugin source code yourself, //before// installing it. | ||
* If in doubt, ask on the [[mailinglist|mailing list]]. | * If in doubt, ask on the [[mailinglist|mailing list]]. | ||
- | * Plugins are installed under the DokuWiki '' | + | * Plugins are installed under the DokuWiki '' |
* Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | ||
* Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | ||
+ | * If in doubt, let plugins be reviewed by a professional first. See [[faq: | ||
See also: [[devel: | See also: [[devel: | ||
Line 353: | Line 325: | ||
* [[install: | * [[install: | ||
* [[tips: | * [[tips: | ||
- | * {{http:// | + | * [[https:// |
- | * [[http:// | + |
security.1441480550.txt.gz · Last modified: 2015-09-05 21:15 by 109.110.43.6