Question

How can I secure the configure script when I do not have access to the httpd.conf file?

I tried using .htaccess but that will disallow all access to the /bin directory, making TWiki not work any longer.

The TWiki documentation says: "The configure script the tool is designed for use by administrators only and should be restricted to invocation by them only, by using the basic Apache authentication."

My webhost allows me to password protect directories only. They say I should move the configure script to another directory and protect that directory. Would that work?

Thank you for your help!

Environment

-- MatthiasRoeder - 07 Jun 2007

Answer

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

Use .htaccess to set an Allow From for your IP address, and no access from any other. See the apache docs for how to use Allow/Deny.

-- CrawfordCurrie - 09 Jun 2007

Hi Crawford! Unfortunately this will not solve my problem. I want to protect one file in a directory that should otherwise be readable by everyone. If I set up .htaccess the way you suggested, no one but me will be able to read the content of the directory in which my configure script is. And this means that TWiki will not work any longer, right? Thanks again!

-- MatthiasRoeder - 10 Jun 2007

Matthias, take the bin/.htaccess as a template, it has this:

<FilesMatch "configure.*">
   SetHandler cgi-script
   Order Deny,Allow
   Deny from all
   Allow from 127.0.0.1, 192.168.1.10
   Require user {Administrators}
   Satisfy Any
</FilesMatch>

The {Administrators} is a bit misleading. You can specify user names that exist in the .htpasswd, such as:

Require user UserOne UserTwo UserThree

-- PeterThoeny - 10 Jun 2007