SID-02408: Allow Twiki to be browse able for certain subnet

Status:	Asked	TWiki version:	6.0.1	Perl version:
Category:	CategorySecurity	Server OS:	CentOS 7.6	Last update:	6 years ago

Hi is there any way to allow only 192.168.1.0/23 subnet to browse and use Twiki, and block the rest. In common php website by using .htaccess we are able to do that, but if I understood this correctly, .htaccess with Twiki is run by scripts, also by only creating common .htaccess in the parent root directory for apache to look at, it breaks the whole CSS and Twiki.

Is there any way to block all networks except 192.168.1.0/23?

Thank you in advance.

-- Vladimir Travalja - 2019-05-23

Discussion and Answer

There should be no difference between a PHP application or TWiki there: TWiki does not look at .htaccess files itself. Only the web server evaluates .htaccess files.

Also, running TWiki from a central .htaccess file doesn't necessarily break TWiki if you get the paths correct. A central configuration file can also be included by Apache. For that case, ApacheConfigGenerator can generate a configuration file for you, and you can then manually insert the IP restrictions into the file copied from there (the syntax and rules differ between Apache versions).

-- Harald Jörg - 2019-05-23

Hi again Harald. I see that on my httpd conf Document root is set at: /var/www/html/twiki/ but there is no .htaccess located in that root directory, in fact only .htaccess that I found is in /bin where the .htaccess is named as: ".htaccess.txt" why is that? should I set my .htaccess in the bin or /var/www/html/twiki/ ?

Also, when I did in .htaccess

RewriteEngine On
order deny,allow
deny from all
allow from 192.168.1.0/23

whole CSS falls apart... Any clue what is that?

-- Vladimir Travalja - 2019-05-23

About .htaccess.txt: As described in the TWikiInstallationGuide, this file is just a template for TWiki installations where you don't have access to the Apache configuration file. In such situations, .htaccess can be used to activate CGI processing, and for access control to the files in bin (that's why it sits there). This template is not suited to configure access to style sheets and images. If, on the other hand, you have access to the file system, then I really strongly recommend that you use the ApacheConfigGenerator to create the configuration file for TWiki. There's no need to fiddle with .htaccess files at all in this case. The config generator allows to chose between "old" Apache (up to 2,2) and recent versions (2.4 or newer) syntax, all you need to do is to provide the directory names where your TWiki is installed and the URLs where TWiki's own configuration in lib/LocalSite.cfg points to.

About your configuration snippet: I don't use Apache any more, but this seems strange: You activate the RewriteEngine, but I don't see any rules for this engine. Apache's mod_rewrite is powerful but complex: Any rules elsewhere in your configuration might break TWiki.

The following access control rules in your snippet are for mod_authz_host in Apache 2.2, whereas as far as I know, CentOS 7.6 ships with Apache 2.4.

If you have a DocumentRoot set to /var/www/html/twiki/ then your pub directory should be located at /var/www/html/twiki/pub, and there's no need at all for .htaccess files. It is best to do your access control in your httpd.conf or one of the files it includes, with the correct syntax for your Apache version.

-- Harald Jörg - 2019-05-23

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.