Question
How can I secure the configure script when I do not have access to the httpd.conf file?
I tried using .htaccess but that will disallow all access to the /bin directory, making TWiki not work any longer.
The TWiki documentation says: "The configure script the tool is designed for use by administrators only and should be restricted to invocation by them only, by using the basic Apache authentication."
My webhost allows me to password protect directories only. They say I should move the configure script to another directory and protect that directory. Would that work?
Thank you for your help!
Environment
--
MatthiasRoeder - 07 Jun 2007
Answer
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
Use
.htaccess
to set an
Allow From
for your IP address, and no access from any other. See the apache docs for how to use
Allow/Deny
.
--
CrawfordCurrie - 09 Jun 2007
Hi Crawford! Unfortunately this will not solve my problem. I want to protect one file in a directory that should otherwise be readable by everyone. If I set up .htaccess the way you suggested, no one but me will be able to read the content of the directory in which my configure script is. And this means that TWiki will not work any longer, right? Thanks again!
--
MatthiasRoeder - 10 Jun 2007
Matthias, take the
bin/.htaccess
as a template, it has this:
<FilesMatch "configure.*">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from 127.0.0.1, 192.168.1.10
Require user {Administrators}
Satisfy Any
</FilesMatch>
The
{Administrators}
is a bit misleading. You can specify user names that exist in the .htpasswd, such as:
Require user UserOne UserTwo UserThree
--
PeterThoeny - 10 Jun 2007