You are here: Support Web>ApacheConfigGenerator (09 Feb 2010)

Apache Config Generator

This page creates an Apache configuration file foswiki.conf for your installation. Fill out the form, and then press the [Update Config File] button. Copy and paste the generated configuration into your Apache configuration file.

For setting up Foswiki on Linux or Unix, see also SettingFileAccessRightsLinuxUnix.

Note: Some people, including many using web hosts, can't edit http.conf. If this applies to you, do not bother using this page - edit the various .htaccess template files included in the download. (They have instructions in them. Their filenames are all different, but include "htaccess.txt" in them.)

Note: Some people, including many using web hosts, can't edit http.conf. If this applies to you, do not bother using this page - edit the various .htaccess template files included in the download. (They have instructions in them. Their filenames are all different, but include "htaccess.txt" in them.)

Base server information

Some people use Name Based virtual hosting. If you want to define a virtual host, enter the qualified hostname here, otherwise leave blank. You can also enter an optional port number. (Port not needed on most systems) Example: foswiki.myhost.com
Host Name: (optional) Port: (optional)

Enter the full file path to your foswiki root directory: Foswiki does not work with directory names containing spaces (especially important to notice for Windows users). So choose an installation directory without spaces.
Path: (mandatory, no spaces)

Will you require Symbolic Links in the pub/ or bin/ directories?
(optional)

Enter the url path which foswiki is accessed :
(For shortest URL's, you can enter only the slash).
URL Path: (mandatory)

Short-URLs: _When you enable this, you can omit the bin/view/ from the URLs. Use domain.tld/foswiki/System/WebHome instead of the normal domain.tld/foswiki/bin/view/System/WebHome
Enabled
Disabled

Runtime Engine: Choose the way foswiki is supposed to run (see FoswikiStandAlone). Select CGI if in doubt.
CGI
FastCGI
mod_perl

FastCGI module: mod_fastcgi mod_fcgid

Apache version: 1.x 2.x

Before you enable mod_perl in your webserver, you have to configure Foswiki. Otherwise, you'll face a chicken-and-egg problem, and would get something like this in your Apache error logs:

[error] Content-type: text/plain\n\nPerl error when reading LocalSite.cfg: \nPlease inform the site admin.\nBEGIN failed--

Security related settings

Protect the `bin/configure` command

It is strongly recommended that the configure script be protected. It can be protected by IP address(es), User name(s) or both (cf. ProtectingYourConfiguration).

Enter the IP address range or hostnames that will have access to configure
Separate with spaces. Can be partial networks (example: localhost 192.168.1.2 192.168.2) :
(optional)
OR AND
Enter the list of user names that are allowed to access configure
Separate multiple names with spaces, can't be a name you use to edit Foswiki. Names must exist in .htpasswd file:
(recommended)

Foswiki login support

Choose your Login Manager:
None - No login
TemplateLogin - Redirect to the login template, which asks for a username and password in a form
ApacheLogin - Apache is configured to ask for authorization information
Location of .htpasswd file: (optional - if blank, defaults to "/var/www/foswiki/data" omit trailing slash.)

Page to return when authentication fails:
UserRegistration
ResetPassword
None. Use Apache default 401 message
Custom: (enter Web/TopicName )

Attachments

Prevent execution of attached files as PHP scripts if PHP is installed:
PHP4/5 Installed
PHP3 Installed
No PHP Installed

Block direct access to viewing attachments that ends with .htm or .html:
Check to block access: (recommended against spam abuse)

Block direct access to viewing attachments in Trash web
Check to block access: (recommended against spam abuse)

In some installations it is important to protect attached files with the same access controls that are applied to the owning topic. If this option is selected, the configuration will include some rewrite rules that redirect web access to attachments to the bin/viewfile script.

Note that this option can have a significant impact on performance.
Also, this option is incompatible with ImageGalleryPlugin as it writes to /pub/images which is not a valid web name.
Viewfile sets the mime type based upon file name suffix. Unknown types are served as text/plain which can result in corrupt files.
This option will also add some rewrite rules that bypass viewfile for certain graphics files - review the comments in the configuration carefully!

Do you want apply Foswiki access controls to attachments by redirecting access to the viewfile script?
Check to control attachment access: (optional)

Spiders and Robots

Do you want to include rules to block access from well known robot agents? Note, the default list includes well known robots including Google.
Check to deny access: (Recommended for public sites)

default foswiki.conf

Press the "Update config file" button to generate your custom config

By pressing the button below you select all the text in the textarea. Then you just need to copy the text to the clipboard and paste it into the foswiki.conf file.

# Autogenerated httpd.conf file for Foswiki.
# Generated at http://foswiki.org/Support/ApacheConfigGenerator?vhost=;port=;dir=/var/www/foswiki;symlink=;pathurl= /foswiki;shorterurls=enabled;engine=CGI;fastcgimodule=fastcgi;apver=2;allowconf=;requireconf=;loginmanager=None;htpath=;errordocument=UserRegistration;errorcustom=;phpinstalled=PHP4;blockpubhtml=;blocktrashpub=;controlattach=;blockspiders=;foswikiversion=1.0.0

# For Foswiki version 1.0.0






# The Alias defines a url that points to the root of the Foswiki installation.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.

ScriptAlias /foswiki/bin "/var/www/foswiki/bin"

# The following Alias is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.  
# If short URLs are enabled, and any other local directories or files need to be accessed directly, they 
# must also be specified in an Alias statement, and must not conflict with a web name.  

Alias /foswiki/pub "/var/www/foswiki/pub"
Alias /foswiki/robots.txt "/var/www/foswiki/robots.txt"



#  Rewriting is required for Short URLs, and Attachment redirecting to viewfile
RewriteEngine    on
#RewriteLog "/var/log/apache/rewrite.log"  
#RewriteLogLevel 0   
 


# short urls
Alias /foswiki "/var/www/foswiki/bin/view"
RewriteRule ^/+foswiki/+bin/+view/+(.*) /foswiki/$1 [L,NE,R]
RewriteRule ^/+foswiki/+bin/+view$ /foswiki/ [L,NE,R]





# This enables access to the documents in the Foswiki root directory
<Directory "/var/www/foswiki">
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
</Directory>



# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
# Note:  If you use SELinux, you also have to "Allow httpd cgi support" in your SELinux policies

<Directory "/var/www/foswiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options +ExecCGI  -FollowSymLinks
    SetHandler cgi-script

    # Password file for Foswiki users
    AuthUserFile /var/www/foswiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /foswiki/System/UserRegistration

    # Limit access to configure to specific IP address(es) or user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        
        Satisfy Any
    </FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/foswiki/pub">
    Options None
    Options -FollowSymLinks
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
    ErrorDocument 404 /foswiki/bin/viewfile

    # Disable execution of PHP scripts
    php_admin_flag engine off

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
   #
   #add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
   # reducing the load on the server significantly
   #IF you can, you should enable this - it _will_ improve your Foswiki experience, even if you set it to under one day. 
   # you may need to enable expires_module in your main apache config
   #LoadModule expires_module libexec/httpd/mod_expires.so
   #AddModule mod_expires.c
   #<ifmodule mod_expires.c>
   #  <filesmatch "\.(jpg|gif|png|css|js)$">
   #       ExpiresActive on
   #       ExpiresDefault "access plus 11 days"
   #   </filesmatch>
   #</ifmodule>
   #
   # Serve pre-compressed versions of .js and .css files, if they exist
   # Some browsers do not handle this correctly, which is why it is disabled by default
   # <FilesMatch "\.(js|css)$">
   #         RewriteEngine on
   #         RewriteCond %{HTTP:Accept-encoding} gzip
   #         RewriteCond %{REQUEST_FILENAME}.gz -f
   #         RewriteRule ^(.*)$ %{REQUEST_URI}.gz [L,QSA]
   # </FilesMatch>
   # <FilesMatch "\.(js|css)\?.*$">
   #         RewriteEngine on
   #         RewriteCond %{HTTP:Accept-encoding} gzip
   #         RewriteCond %{REQUEST_FILENAME}.gz -f
   #         RewriteRule ^([^?]*)\?(.*)$ $1.gz?$2 [L]
   # </FilesMatch>
   # <FilesMatch "\.js\.gz(\?.*)?$">
   #         AddEncoding x-gzip .gz
   #         AddType application/x-javascript .gz
   # </FilesMatch>
   # <FilesMatch "\.css\.gz(\?.*)?$">
   #         AddEncoding x-gzip .gz
   #         AddType text/css .gz
   # </FilesMatch>


</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/var/www/foswiki/data">
    deny from all
</Directory>

<Directory "/var/www/foswiki/templates">
    deny from all
</Directory>

<Directory "/var/www/foswiki/lib">
    deny from all
</Directory>

<Directory "/var/www/foswiki/locale">
    deny from all
</Directory>

<Directory "/var/www/foswiki/tools">
    deny from all
</Directory>

<Directory "/var/www/foswiki/working">
    deny from all
</Directory>

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a Foswiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess


BrowserMatchNoCase ^$ blockAccess

Comments

"AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi"

Be aware that this directive introduces an issue if for example you have the associated html page for the wysiwyg editor. as the text/html document will have text/plain mime type. Maybe wise to limit the coverage of the directory or location.

History

removed the handy W3C? tools from the blocked list. -- WillNorris - 18 Feb 2009
ending % was missing for a %PATHURL in a ScriptAlias? declaration -- ColasNahaboo - 23 Feb 2009
Noted can't use a configure user as an editing wiki user -- MartinCleaver - 23 Mar 2009
Remove /bin/view from the ErrorDocument? strings if shorturls enabled - otherwise Apache fails to prompt for password - 5 Apr 2009
Disabled TinyMCE? plugin as it messes up with the layout -- OlivierRaginel - 06 Apr 2009
Reorganized, added support for protecting attachments, FollowSymLinks? -- GeorgeClark - 11 Apr 2009
Simplified viewfile regex - should fix compile failure on Apache startup.
Allow any wiki topic to be specified as the not-authorized page
Allow location of .htpasswd to be overridden
Add an optional port # for the Virtual host. So you can specify :80, :443, or whatever on the statement.
Fixed htpasswd to default to data directory if left blank, otherwise overrides path - 3 Sept 2009
Added (commented out) rules for serving pre-compressed .js and .css -- MichaelTempest - 22 Sep 2009
Moved LocationMatch for fcgi outside of the directory.
Add an Alias statement for robots.txt when short URLs are enabled
Add or/and configuration of access control to bin/configure command -- TobiasVonDerKrone - 11 Dec 2009

Wanted improvements.

For ShortURLs? , I had to (at least for what I'm doing at SSLForNonViewScriptsOnly), add Alias /error/ "/usr/share/apache2/error/" above Alias / "/srv/www/vhosts/wiki.trin.org.au/foswiki/bin/view/"

BasicForm edit

TopicClassification	AdminTopic
Topic Summary	The famous ApacheConfigGenerator
Interested Parties
Related Topics

Topic revision: r46 - 09 Feb 2010 - 00:14:34 - DanDascalescu

Support.ApacheConfigGenerator moved from Development.ApacheConfigGenerator on 14 Nov 2008 - 15:19 by KennethLavrsen - put it back

Support

Tools

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement.