FarmApacheConfiguration

Summary: An attempt to secure a Pmwiki Farm with apache configuration
Version: 2.2 (should work with 2.1)
Prerequisites: Full Access to the Apache web server, Pmwiki2.2 already installed and configured to run a Farm
Status:
Maintainer: Isidor
Categories: Security WikiFarms

Questions answered by this recipe

When you're running dozens of Fields in a Farm and you have to configure an Vhost for each one, securing and making mods on the Apache vhosts could be painful.

This receipt will try to describe a way to simplify vhost setup and securing the Fields by the same way ;-)

Description

How to configure Apache when running a PmwikiFarm.

Howto

Farm structure

/var/www/                                       
        |-- default                             (web document root) 
        |-- pmwiki.conf                         (some files not accessible from the web)
        |-- _tmp                                (if safe mode activated)
        |
        |-- pmwiki22/
        |           |-- pmwiki.php              (pmwiki.php used by the farm)
        |           |-- wiki.d/                 (wiki's page storage)
        |           |-- wikilib.d/              (wikilib's page storage)
        |           |-- local/                  (wiki's local configuration)
        |           |        |-- farmconfig.php (config for all the Farm Fields)
        |           |-- cookbook/               (wiki's recipes)
        |           |-- uploads/                (Farm page attachments)
        |           `-- pub/                    (Farm&Fields publicly-accessible files)
        |-- field01 /
        |           |-- field.php               (wrapper script for the Field)
        |           |-- wiki.d/                 (Field page storage)
        |           |-- local/                  (Field local configuration)
        |           |        |-- config.php     (config for the Field)
        |           |        |-- Group.php      (config for the Group pages)
        |           |        `-- Group.Name.php (config for the Group.Name page)
        |           |-- uploads/                (wiki's page attachments)
        |           |-- [pub/cookbook]          (only if needed for this Field)
        |-- field02 /...
        |-- field03 /...
        |-- field04 /...
        *
        |-- field99 /...

the field.php wrapper script

Could be one unique line :

include('/var/www/pmwiki22/pmwiki.php');

Vhost serving the fields

<VirtualHost 192.168.107.128:80>
  ServerName  field.example.org
  ServerAlias field01.example.org
#.....
  ServerAlias field99.example.org

  ## Apache Standard Directives 
  DocumentRoot "/var/www/default/"  # Should be a default page with something or not
  ServerSignature Off
  Options -Indexes FollowSymLinks MultiViews 
  # others Apache directives

  ## Rewriting
  RewriteEngine on
  RewriteMap    lowercase                       int:tolower
  RewriteMap    vhost                           txt:/var/www/pmwiki.conf/vmhost.map
  ## Excluding uploads/pub directories and htm/html/txt files
  RewriteCond   %{REQUEST_URI}                  !^/(uploads|pub)/
  RewriteCond   %{REQUEST_URI}                  !\.(html?|txt)$
  ## Rewriting anything else as a wiki Page 
  RewriteCond   ${lowercase:%{SERVER_NAME}}     ^(.+)$
  RewriteCond   ${vhost:%1}                     ^(/.*)$
  RewriteRule   ^/(.*)$                         %1/field.php?n=$1 [L,qsappend]
  ## Rewriting for the uploads/pub directories
  RewriteCond   %{REQUEST_URI}                  ^/(uploads|pub)/
  RewriteCond   ${lowercase:%{SERVER_NAME}}     ^(.+)$
  RewriteCond   ${vhost:%1}                     ^(/.*)$
  RewriteRule   ^/(.*)$                         %1/$1
  ## Rewriting for htm/html/txt files
  RewriteCond   %{REQUEST_URI}                  !^/(uploads|pub)/
  RewriteCond   %{REQUEST_URI}                  \.(html?|txt|php)$
  RewriteCond   ${lowercase:%{SERVER_NAME}}     ^(.+)$
  RewriteCond   ${vhost:%1}                     ^(/.*)$
  RewriteRule   ^/(.*)$                         %1/$1

  ## Ans we want to log in only one file with the host as a prefix
  LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" hcombined
  CustomLog /var/log/apache2/pmwikiAll.log hcombined

  ## Attempt to secure PHP
  php_admin_flag  safe_mode On               # so we go for safe mode
  php_value session.gc_maxlifetime 14000     # extends session life
  php_admin_value open_basedir "/var/www/"   # be carrefull 
  php_admin_value upload_tmp_dir "/var/www/pmwiki/_tmp"
  ## Protecting uploads/pub directories
  <Directory ~ "/(uploads|pub)/">
    Options -Indexes FollowSymLinks MultiViews  # Again
    ## Either enable two next lines
    #php_flag engine Off                        # no php running 
    #AddType text/plain .php                    # .php served as .txt
    ## or enable the next line                   
    AddType application/x-httpd-php-source .php # colorize the .php files
  </Directory>

</VirtualHost>  

Virtual Map for the hosts

#######################################################################################
## VM des sites pmwiki
##
#######################################################################################
## Sites en Production
field01.example.org     /var/www/pmwiki/field01                 # Field01 Website
field01.example.com     /var/www/pmwiki/field01                 # alias for Field01 Website
#...
field99.example.org     /var/www/pmwiki/field99                 # Field99 Website
## EOF

Notes

Release Notes

  • 20070607: Draft presented

See Also

All farm related cookBooks WikiFarmsAdvanced

Contributors

Isidor ...

Comments

See discussion at FarmApacheConfiguration-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.