On Sat, Jan 29, 2005 at 04:39:58PM +0000, Rusty Shackleford wrote:
I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Securitybut I'd like to know how to require editors to log in first, and how to disable account creation.
Add the following lines to LocalSettings.php: # Prevent new user registrations - only users with sysop status can # create users. $wgWhitelistAccount = array ( "sysop" => 1 ); # You must be a logged in user to edit pages. Combining this # restriction with the previous restriction means we control who can # edit pages. $wgWhitelistEdit = true;
You should notice that the login page is different - all you'll have now are two boxes for username and password rather than the five seen previously.
Also, I'm not sure how to disable running PHP scripts in any directories except the script directories. Can I just copy this ato the end of my httpd.conf file and then reboot the server:
<Location "/wiki/images"> php_admin_flag engine off AddType text/plain .html .htm .shtml
</Location>
I think so. I've used <Directory /some/where/images> instead of location, but it works for me.
All related comments on how to secure a wiki are welcome.
You may want to add an Apache rewrite rule so that requests for the login page are redirected to use HTTPS and passwords are encrypted: RewriteCond %{QUERY_STRING} ^title=Special:Userlogin RewriteRule /(.*) https://wiki.example.com/$1 [R,L,QSA] You'll need to make sure it's either in a HTTP VirtualHost or add a RewriteCond to check it was a HTTP request, possibly using %{SERVER_PROTOCOL}. Once you've redirected to HTTPS your browser should stay using HTTPS, protecting the cookies MediaWiki sets.