# Example httpd.conf file for Foswiki.
#
# You are recommended to use  http://foswiki.org/Support/ApacheConfigGenerator
# to help you configure Apache. The ApacheConfigGenerator is set up to support
# Short URLs and other important features.
#
# ### APACHE 2.4 Users.  This configuration requires mod_access_compat to be
# enabled for backwards compatbility.  This is an Apache 2.2 configuration.
#
# You could also take a copy of this file and edit
# the paths to match your installation. Most Linux distributions are setup so
# Apache includes all config files that ends with .conf within a specific
# directory. If your distribution does not have this feature then add:
# include "/var/www/foswiki/foswiki_httpd.conf"
# to the end of your main httpd.conf file.
#
# The first parameter will be part of the URL to your installation e.g.
# http://example.com/foswiki/bin/view/...
# The second parameter must point to the physical path on your disk. Be
# careful not to lose any trailing /'s.

#### Change the _second_ path to match your local installation
ScriptAlias /foswiki/bin "/var/www/foswiki/bin"

# This defines a url that points to the pub directory of the foswiki installation. It is
# used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /foswiki/pub "/var/www/foswiki/pub"

# This enables access to the documents in the Foswiki root directory
<Directory "/var/www/foswiki">
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess
</Directory>

# This alias enables access to the documents in the Foswiki root directory.
# You may comment this out if you do not desire that people have this access.
#### Change the path to match your local installation
Alias /foswiki "/var/www/foswiki"

# Block access to typical spam related attachments (.htm and .html files)
# Except the Foswiki directory which is read only and does have attached html files.
# You should uncomment the two lines below if the Foswiki is on the public Internet
#SetEnvIf Request_URI "/foswiki/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
#SetEnvIf Request_URI "/foswiki/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a Foswiki.
# http://foswiki.org/Support/ApacheConfigGenerator has a good list
# of bad spiders to block.
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^$ blockAccess

# Setting the NO_FOSWIKI_SESSION environment variable prevents a
# session being created for the Google Search Appliance bot. This
# is useful if you have the Google Search Appliance installed on
# your intranet, as they can be very aggressive when indexing, creating
# a lot of session files and slowing Foswiki down.
# You can also set this environment variable for public sites, to
# prevent Google and other search engines' bots. However, these tend
# to index your site a lot less often than the Google Search Appliance.
#BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION


# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.

#### Change the path to match your local installation
<Directory "/var/www/foswiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

# When using Apache type login the below blocks define the Foswiki scripts
# that makes Apache ask the browser to authenticate, and the locations of
# the Password files.  

    # Password file for Foswiki users.  Uncomment if using Apache based login
    #AuthUserFile /var/www/foswiki/data/.htpasswd
    #AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    #AuthType Basic

    # Also uncomment this block for Apache login.  Be sure that all scripts that you want to  authenticate are matched here:
    #  It is normal not to authenticate view, rest and jsonrpc.
    #<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
    #    require valid-user
    #</FilesMatch>

    # For htdigest authentication suport uncomment the following block 
    # as an alternative to the Password file block and replace
    # {DefaultUrlHost} with your default URL host   http://yoursite.com
    #AuthDigestDomain / {DefaultUrlHost}
    #AuthDigestFile /var/www/foswiki/data/.htdigest
    #BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
    #AuthDigestProvider file
    # For "Digest" authentication to work properly, this string must match
    # the value of configuration variable $authRealm
    #AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    #AuthType Digest

    # File to return on access control error (e.g. wrong password)
    # By convention this is the UserRegistration page, that allows users
    # to register with the Foswiki. Apache requires this to be a *local* path.
    # Comment this out if you setup Foswiki to completely deny access to WikiGuest
    # in all webs or change the path to a static html page.
    ErrorDocument 401 /foswiki/bin/view/System/UserRegistration
    # Alternatively if your users are all known to be registered you may want
    # to redirect them to the ResetPassword page.
    # ErrorDocument 401 /foswiki/bin/view/System/ResetPassword

</Directory>


# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Finally all execution of PHP and other scripts is disabled.

# Note that files in pub are *not* protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics, you may
# need to add your own .htaccess files to subdirectories of pub. See the
# Apache documentation on .htaccess for more info.

#### Change the path to match your local installation
<Directory "/var/www/foswiki/pub">
    #if you are using an svn checkout an pseudo-install.pl, you will need to enable symlinks
    #Options FollowSymLinks
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    # If you have PHP installed as Apache module, one of the below directives will ensure
    # that it is disabled.   The "ifmodule" statements should prevent this from causing
    # errors if php is not installed.

    <ifmodule mod_php3.c>
        php3_engine off
    </ifmodule>
    <ifmodule mod_php4.c>
        php_admin_flag engine off
    </ifmodule>
    <ifmodule mod_php5.c>
        php_admin_flag engine off
    </ifmodule>

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi

    #for TWikiCompatibility - or even to make 'attachment not found's more user friendly
    ErrorDocument 404 /foswiki/bin/viewfile

#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it _will_ improve your Foswiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#<ifmodule mod_expires.c>
#  <filesmatch "\.(jpg|gif|png|css|js)$">
#       ExpiresActive on
#       ExpiresDefault "access plus 11 days"
#   </filesmatch>
#</ifmodule>
#

</Directory>


# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
#### Change the path to match your local installation
<Directory "/var/www/foswiki/pub/Trash">
	deny from all
</Directory>


# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.

#### Change the paths to match your local installation
<Directory "/var/www/foswiki/data">
    deny from all
</Directory>

<Directory "/var/www/foswiki/templates">
    deny from all
</Directory>

<Directory "/var/www/foswiki/lib">
    deny from all
</Directory>

<Directory "/var/www/foswiki/locale">
    deny from all
</Directory>

<Directory "/var/www/foswiki/tools">
    deny from all
</Directory>

<Directory "/var/www/foswiki/working">
    deny from all
</Directory>
