################################################################################
# This file contains a setup for TWiki version 4
################################################################################
# Some 'variables' are used that need to be replaced.
#
# TWIKIDIRECTORY == Where TWiki is installed in the filesystem.
#                   For example "/usr/local/TWiki4"
#
# TWIKIPATH      == The URL path through which TWiki can be reached from the web.
#                   For example "/mytools/twiki"
#                   The TWIKIPATH does not end in a slash "/" so we generally
#                   add it in the examples.
#
# This file is situated to be included by a "VirtualHost" or by "httpd.conf".
#
# This file is meant for an Apache 2.2 Web server.
#
# This file uses Apache Login only; no other setups have been tried.
#
# More about Twiki at
#    http://twiki.org/cgi-bin/view/TWiki/WebHome
#
# In particular, more about Authentication at
#    http://twiki.org/cgi-bin/view/TWiki/TWikiUserAuthentication
#
# And more about the "Order" instruction used to allow access at
#    http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order
#

# ------------------------------------------------------------------------------
# In this setup we use "Location", specifying things about the URL path, instead
# of "Directory" which would specify things about the file path. "Location" is
# friendlier in case you move your directories around, but needs some care. In
# particular:
#
# 1) We cannot specifiy that the Apache server follow the symlinks (with
#    "Options +FollowSymlinks". That can only be done through a "Directory"
#    instruction. In case of "Location", the Apache server follows them anyway.
#    Also, there are no symlinks in the TWiki directory tree. Check by
#    running "find . -type l" inside the directory.
# 2) We cannot specify that .htaccess files deposited in the TWiki directory
#    tree be used to override permissions (for example through an
#    "AllowOverride Limit" instruction). In case of "Location", the Apache server
#    does not care about any .htaccess files. We will just have to take more
#    care in specifying access in this file.
#
# If you insist on the above, you can still add:
#
# <Directory "TWIKIDIRECTORY">
#   AllowOverride Limit
#   Options +FollowSymlinks -Indexes
#  </Directory>
#
# How "Directory" and "Location" interact in Apache is described here:
# http://httpd.apache.org/docs/2.2/sections.html#mergin
#
# Note that "Location" is evaluated after "Directory" and so allows access to
# spaces that have been locked through a "Directory" instruction. Also note
# that if multiple URL paths lead to the same file (e.g. through filesysten
# symlinks or different 'Alias' instructions) and not all are locked against
# unauthorized access, then the file can be read through the unlocked URL
# paths!).


# ------------------------------------------------------------------------------
# Create that URL:
# Alias the actual TWiki directory into your URL space. We do *not* need any
# additional 'ScriptAlias' instruction (even though the TWiki documentation
# says so) as we use the 'ExecCGI' option further below. The 'Alias' instruction
# makes the whole of the TWiki directory tree visible from the web, so some
# subdirectories will need additional protection (see even further below). This
# should be done differently in the TWiki distribution - the unreachable
# directories should be "to the side" of the web-accesible directories, not
# "underneath".

Alias TWIKIPATH/ "TWIKIDIRECTORY"

# ------------------------------------------------------------------------------
# We set an environment variable called "anonymous_spider".
# Setting a BrowserMatchNoCase to ^$ is important (the case covered are requests
# to the web server where the browser is the empty string). This prevents TWiki
# from including its own topics as URLs and also prevents other TWikis from
# doing the same. This is important to prevent the most obvious Denial of
# Service attacks. You can expand this by adding more BrowserMatchNoCase
# statements to block evil browser agents trying the impossible task of mirroring
# a TWiki.
# Example: BrowserMatchNoCase ^SiteSucker anonymous_spider
# See http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#browsermatchnocase

BrowserMatchNoCase ^$ anonymous_spider

# ------------------------------------------------------------------------------
# As everything about Twiki is now underneath URL path "TWIKIPATH/", let's
# give some more specific indications about that URL path. We keep
# the access tight - no-one is allowed to do anything (Deny from all)! This
# has the advantage that we can select what to open up with no great risk of
# doing something stupid. The disadvantage is that Apache no longer
# automatically serves the existing "index.html" as index file even if we
# explicitly allow read access to it further below. But as we just need that
# file until configuration has been done, we can access it explicitly as
# "TWIKIPATH/index.html" during configuretion.

<Location "TWIKIPATH/">

    # This directive controls whether requests that contain trailing pathname
    # information that follows an actual filename (or non-existent file in an
    # existing directory) will be accepted or rejected. The trailing pathname
    # information can be made available to scripts in the PATH_INFO environment
    # variable.
    # See "http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo"
    AcceptPathInfo On

    # No automatic indexes, no overrides by local files, no nothing
    Options none

    # Tell us who you are. The 'users' file should NOT be inside the TWIKIDIRECTORY.
    # It is created using the 'htpasswd' Apache Webserver tool.
    AuthName "TWiki access"
    AuthType basic
    AuthUserFile SOMEWHERE/twiki.users
    Require valid-user

    # No-one can access anything until we say otherwise
    Order allow,deny
    Deny from all

</Location>

# ------------------------------------------------------------------------------
# Open up things a bit:
# Allow read access to the toplevel stuff. The most important being probably
# 'robots.txt' if any search engine decides to pass by.

<LocationMatch "TWIKIPATH/(index.html|readme.txt|LICENSE|INSTALL.html|TWikiReleaseNotes04x00.html|robots.txt)">
   Order Deny,Allow
   Allow from all
</LocationMatch>

# ------------------------------------------------------------------------------
# Open up things a bit:
# Stuff in TWiki's "bin" directory is supposed to be executed and accessible
# by all. Thus, in addition to settion "Options ExecCGI", we also set the module
# that handles the scripts to be "cgi-script".

<Location "TWIKIPATH/bin/">
   Order Deny,Allow
   Deny from env=anonymous_spider
   Allow from all
   Options ExecCGI
   SetHandler cgi-script
   #
   # Anyone who wants to execute stuff from here needs authentication.
   # This can be done right here but we already ask for authentication
   # at a the "/tools/" subpath, so we don't bother about anything else.
   # This means that we are using "Apache Login", whereby users log in
   # with some username that need not be a Wiki Name, and that username
   # is mapped by TWiki into a Wiki Name through the contents of the
   # file "TWikiUsers" in web "Main".
   # Check details at
   # http://twiki.org/cgi-bin/view/TWiki/TWikiUserAuthentication

   #
   # ...this has not been tested or found to be needed:
   #
   # File to return on access control error (e.g. wrong password)
   # By convention this is the TWikiRegistration page, that allows users
   # to register with the TWiki. Apache requires this to be a *local* path.
   # ErrorDocument 401 TWIKIPATH/bin/view/TWiki/TWikiRegistration
   #
   # When using Apache type login the following defines the TWiki scripts
   # that makes Apache ask the browser to authenticate. It is correct that
   # scripts such as view are not authenticated. (un-comment to activate)
   #<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
   #       require valid-user
   #</FilesMatch>
   #
</Location>

# ------------------------------------------------------------------------------
# Close things down a bit:
# The "configure" script should not be accessible to anyone except the system
# administrator, which is called 'JohnDoe' here OR which connects from 127.0.0.1.
# Replace JohnDoe with the login name of the administrator or play with the
# Allow/Deny directives.
# The easiest is to set "Deny from all" once configuration is done, this will
# lock up "configure".

<Location "TWIKIPATH/bin/configure">
   Order Deny,Allow
   Deny from all
   # Allow from 127.0.0.1, 192.168.1.10
   # Require user JohnDoe
   # Satisfy Any
</Location>


# ------------------------------------------------------------------------------
# Open things up a bit:
# This sets the options on the 'pub' directory, which contains topics'
# attachments. The attachments are accessed "directly" from the web, without
# passing through a script. This directory is fully accessible from anywhere
# but no scripts are run in that directory.

<Location "TWIKIPATH/pub/">
   Order Deny,Allow
   Allow from all

   # If you have PHP4 or PHP5 installed make sure the directive below is enabled
   # If you do not have PHP installed you will need to comment out the directory below
   # to avoid errors.
   php_admin_flag engine off

   #If you have PHP3 installed make sure the directive below is enabled
   #php3_engine off

   # This line will redefine the mime type for the most common types of scripts
   # It will also deliver HTML files as if they are text files
   AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Location>

# ------------------------------------------------------------------------------
# Close things down a bit:
# Additionally, "pub/_work_areas" is locked against outside access

<Location "TWIKIPATH/pub/_work_areas">
   Order Deny,Allow
   Deny from all
</Location>

# ------------------------------------------------------------------------------
# Finally:
# The index page with path "TWIKIPATH/" show the TWiki index page. Generally
# you do not want to allow access to it. Let's add a 'rewrite' instruction (activate
# this after installation and configuration is finished) which will take care
# of that, pushing users to the Main web:

RewriteEngine On
RewriteRule ^TWIKIPATH/$  https://MACHINE/TWIKIPATH/bin/view/Main/WebHome [L,R=301]

# ------------------------------------------------------------------------------
# Nothing to do with the webserver: Instructions on how to set the Unix file
# system permissions on the TWiki subtree. Use
#
# TWIKI_HOME=/usr/local/TWiki-4.0.5
#
# # The whole subtree belongs to root but is manipulable by group apache
# # (if apache is not the group under which the webserver runs ,change this
# # appropriately)
# chown root.apache $TWIKI_HOME
#
# # Every directory has permissions rwxr-x---
# find $TWIKI_HOME -type d -exec chmod 750 '{}' ';'
#
# # Every file has permissions rw-r-----
# find $TWIKI_HOME -type f -exec chmod 640 '{}' ';'
#
# # All the stuff underneath 'data', including 'data' itself (topics accessed
# # through CGI scripts) can also be modified by group 'apache' so that you can
# # modify and add topics
#
# find $TWIKI_HOME/data -exec chmod g+w '{}' ';'
#
# # All the stuff underneath 'pub', including 'pub' itself (attachments accessed
# # directly from the web) can also be modified by group 'apache' so that you can
# # modify and add attachments
#
# find $TWIKI_HOME/pub -exec chmod g+w '{}' ';'
#
# # All the scripts underneath '/bin' need to have the 'execute' flag set
# # otherwise the webserver won't run them
#
# find $TWIKI_HOME/bin -type f -exec chmod 'o+x,g+x' '{}' ';'
#
# # Same with tools
#
# find $TWIKI_HOME/tools -type f -exec chmod 'o+x,g+x' '{}' ';'
#
# # Not sure about 'lib', I don't think the 'x' flag needs to be set as these files
# # are included by actual executables.
#