# include.d/twiki.full-server			05 Jun 07
#------------------------------------------------------------

#
# TWiki configuration when the whole server has TWiki-managed content.
# This is intended to be included in a vhost-configuration.
#

# After including this configuration snippet, you should also add a
# homepage rewrite rule to your vhost config. This is not done here,
# because we will need different homepages for different servers.


#
# Set up directories and access rights
#

# Allow access to the CGI scripts. Some scripts need authentication.
<Directory "TWIKI_DIR/bin">
	Options       ExecCGI
	SetHandler    cgi-script
	Allow from all

	# Demand authentication
	AuthUserFile TWIKI_DIR/data/.htpasswd
	AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
	AuthType Basic

	<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
		require valid-user
	</FilesMatch>

	<Files "configure">
		# Sadly, I cannot use TWiki groups here.
		#require user TWIKI_ADMIN
		require valid-user
	</Files>

	# File to return on access control error (e.g. no authentication or
	# wrong password) By convention this is the TWikiRegistration page,
	# that allows users to register with the TWiki. But the registration
	# page must only be used on our HTTPS server and Apache requires
	# this to be a *local* path; we will explain and ensure proper
	# behaviour later with our rewrite rules. For now it must suffice
	# that the error URL is abstract and does not really exist.
	ErrorDocument 401 /unathorized.to_be_rewritten
</Directory>

# Take care for access to pub directory tree. Turn off dangerous material.
<Location "/pub">
	# Disallow PHP here if it's used.
	<IfModule mod_php3.c>
		php3_engine off
	</IfModule>
	<IfModule mod_php5.c>
		php_flag engine off
	</IfModule>
	<IfModule mod_php5.c>
		php_flag engine off
	</IfModule>

	# Deliver many problematic attachments as download material.
	# We don't want to allow HTML attachments with XSS attacks. :-)
	# NOTE: Do not use application/octet-stream here; that MIME type is
	# regarded as "ambiguous" by IE and the actual file type will be
	# guessed and maybe executed on the client. See
	# http://msdn2.microsoft.com/en-us/library/ms775147.aspx for a
	# description of that brain-dead behaviour.
	# NOTE 2: Do not use text/plain either, as in the example from the
	# 4.1.2 distribution. It's not only a security risk and open your
	# site to XSS attacks, the intended purpose is questionable --
	# HTML, PHP and CGI attachments shall probably better be
	# downloaded and not shown.
	AddType application/x-download .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Location>

# Don't allow direct access to TWiki data URLs.
# /tmp is added because it's an obvious choice to store session cookies.
<LocationMatch "^/(data|lib|locale|templates|tmp|tools)">
	Order deny,allow
	Deny from all
</LocationMatch>


# We want really short URLs.
#
# Unauthenticated read access is done by
# http://HOSTNAME/Web/WikiTopic.
# No action at all, just get the page.
#
# Write access, management actions, and authenticated read access are
# immediate top-level relative URLs at an HTTPS server. I.e., no /bin/
# prefix, that's not needed. These URLs don't conflict with Web names,
# as all our Web names start with uppercase characters. They also
# don't conflict with /pub.

# Read access is established with mod_rewrite. That's also hardwired
# in the TWiki configuration, without that module it wouldn't work.
# Therefore we have no IfModule here, without mod_rewrite we want to
# get an error.
RewriteEngine on

# Looking at the rewriting logs, we see that /pub URLs are most often
# requested: Here are the icons, where multiple of them are used per
# page. Even though they all return a not_changed response, they must
# traverse the rewriting rules first. So we shortcut them, no need
# to use all other tests on them. Flag PT means pass through to other
# URL-to-filename mapping, and L means to stop rewriting (last rule).
RewriteRule ^/pub		- [PT,L]

# Next we need to handle the 401 ErrorDocument; i.e., the document
# that tells a user that authentication has not succeeded or has been
# aborted. This document is sent by the server together with a
# password challenge and is shown when the user presses _cancel_ on
# the password popup dialog. Above, we defined an abstract URL for it,
# that must now be matched to a file. This must *never* be redirected
# to an external server, otherwise the "client will not know to prompt
# the user for a password since it will not receive the 401 status
# code". (From the Apache 2.2 documentation about the ErrorDocument
# directive.) Therefore we must assure that this URL is always
# satisfied by a file on the current server instance.
#
# If our setup is correct, 401 responses can only be delivered on the HTTPS
# server: Only there authenticated requests are made at all. There we can
# also use the TWikiRegistration page, as intended. But we also care for the
# case of an incorrect setup and provide an alternative page for 401
# responses in HTTP servers. This is a new page that is not part of the
# TWiki distribution.
Rewritecond %{HTTPS}		=on
RewriteRule ^/unathorized.to_be_rewritten /TWiki/TWikiRegistration
Rewritecond %{HTTPS}		=off
RewriteRule ^/unathorized.to_be_rewritten /Main/HttpUnauthorized

# Next, forward all HTTP requests with forms that contain passwords to the
# HTTPS server -- we want encryption of the form content. Make sure that
# these requests _stay_ at the HTTPS server and are not redirected back: Map
# them to the actual script that serves them. Flag NE (no escape) tells no
# escaping of URL chars, R demands a permanent redirect.
Rewritecond %{HTTPS}		=off
RewriteRule ^/TWiki/(ChangeEmailAddress|.*Registration|.*Password).*  https://%{SERVER_NAME}$0  [NE,R=permanent,L]
Rewritecond %{HTTPS}		=on
RewriteRule ^/TWiki/(ChangeEmailAddress|.*Registration|.*Password).*  TWIKI_DIR/bin/view$0 [L]

## For local registration and password change forms, adapt as needed.
#Rewritecond %{HTTPS}		=off
#RewriteRule ^/Main/(.*Registration).*  https://%{SERVER_NAME}$0  [NE,R=permanent,L]
#Rewritecond %{HTTPS}		=on
#RewriteRule ^/Main/(.*Registration).*  TWIKI_DIR/bin/view$0 [L]

# We can now care for the general switch between our HTTP and HTTPS server
# instances with the same name.
#
# First, on the HTTP server all authenticated requests are redirected
# to the HTTPS server.
RewriteCond %{HTTPS}		=off
RewriteRule ^/(attach|edit|manage|rename|save|upload|mail|logon|\w+auth|configure).*  https://%{SERVER_NAME}$0 [NE,R=permanent,L]

# On the HTTPS server, all non-authenticated user requests are redirected to
# the HTTP server. There are also internal (sub-)requests that appear when
# /pathinfo URL parts are analyzed and path_translated is constructed. Thus,
# if our request belongs _not_ to the authenticated ones and is also _not_ a
# subrequest (flag NS), we allow evaluation of the next rewrite rule (flag
# C, chain on match). Then the complete URL is redirected. We must not use
# the negated match in the actual rewrite rule: In a negated match, $0 is
# always empty, we would redirect to the home page.
RewriteCond %{HTTPS}		=on
RewriteRule !^/(attach|edit|manage|rename|save|upload|mail|logon|\w+auth|configure|environment.cgi) - [NS,C]
RewriteRule ^.*			http://%{SERVER_NAME}$0 [NE,R=permanent,L]

# If we didn't get redirected, we're one of:
#  -- an initial authenticated action on the HTTPS server
#  -- an initial authenticated action on the HTTP server
#  -- a subrequest on either the HTTP or the HTTPS server
#  -- a read-access URL that looks like /Web/TopicName on the HTTP server.
# Let's handle the latter case: we rewrite all URLs that start with
# uppercase letters to use the view script. This is used for all
# unauthenticated views, and for subrequests of authenticated actions.
# Actually, we only check for the leading uppercase and underscore char, not
# for any properly named topic.
RewriteRule ^/[A-Z_].*		TWIKI_DIR/bin/view$0  [L]


# When we have not been redirected or no final filename has been determined,
# the rewrite module passes the URL to other URL-to-filename modules.
# According to the case above, we have now an action that shall be done in
# the current server. We provide ScriptAlias definitions for all actions,
# even though only some of them will be actually used -- the others will
# have been redirected above. But this way we can use the same definitions
# for both server instances, some of them are simply never invoked.
#
# The actions are without any .../bin/ prefix. Please note that we
# still add a ScriptAlias definition for /view, in case some script
# constructs such a URL in spite our short-URL configuration. (That cares
# for the wrong base href bug in TWiki 4.1.2.)
ScriptAlias /attach		TWIKI_DIR/bin/attach
ScriptAlias /configure		TWIKI_DIR/bin/configure
ScriptAlias /changes		TWIKI_DIR/bin/changes
ScriptAlias /edit		TWIKI_DIR/bin/edit
ScriptAlias /login		TWIKI_DIR/bin/login
ScriptAlias /logon		TWIKI_DIR/bin/logon
ScriptAlias /manage		TWIKI_DIR/bin/manage
ScriptAlias /oops		TWIKI_DIR/bin/oops
ScriptAlias /passwd		TWIKI_DIR/bin/passwd
ScriptAlias /preview		TWIKI_DIR/bin/preview
ScriptAlias /rdiff		TWIKI_DIR/bin/rdiff
ScriptAlias /rdiffauth		TWIKI_DIR/bin/rdiffauth
ScriptAlias /register		TWIKI_DIR/bin/register
ScriptAlias /rename		TWIKI_DIR/bin/rename
ScriptAlias /resetpasswd	TWIKI_DIR/bin/resetpasswd
ScriptAlias /rest		TWIKI_DIR/bin/rest
ScriptAlias /save		TWIKI_DIR/bin/save
ScriptAlias /search		TWIKI_DIR/bin/search
ScriptAlias /statistics		TWIKI_DIR/bin/statistics
# twiki is a dispatcher script; not used directly
#ScriptAlias /twiki		TWIKI_DIR/bin/twiki
ScriptAlias /upload		TWIKI_DIR/bin/upload
ScriptAlias /view		TWIKI_DIR/bin/view
ScriptAlias /viewauth		TWIKI_DIR/bin/viewauth
ScriptAlias /viewfile		TWIKI_DIR/bin/viewfile
# For Debugging
#ScriptAlias /testenv		TWIKI_DIR/bin/testenv