[Mediawiki-l] How to secure new wiki?

[John Tobin]

On Sat, Jan 29, 2005 at 04:39:58PM +0000, Rusty Shackleford wrote:
> I've read this page:
> 
>     http://meta.wikimedia.org/wiki/Documentation:Security
> 
> but I'd like to know how to require editors to log in first, and how to
> disable account creation.

Add the following lines to LocalSettings.php:
# Prevent new user registrations - only users with sysop status can
# create users.
$wgWhitelistAccount = array ( "sysop" => 1 );
# You must be a logged in user to edit pages.  Combining this
# restriction with the previous restriction means we control who can
# edit pages.
$wgWhitelistEdit = true;

You should notice that the login page is different - all you'll have now
are two boxes for username and password rather than the five seen
previously.

> Also, I'm not sure how to disable running PHP scripts in any directories
> except the script directories.  Can I just copy this ato the end of my
> httpd.conf file and then reboot the server:
> 
> <Location "/wiki/images">
>  php_admin_flag engine off
>  AddType text/plain .html .htm .shtml
> </Location>

I think so.  I've used <Directory /some/where/images> instead of
location, but it works for me.

> All related comments on how to secure a wiki are welcome.

You may want to add an Apache rewrite rule so that requests for the
login page are redirected to use HTTPS and passwords are encrypted:
	RewriteCond %{QUERY_STRING}     ^title=Special:Userlogin
	RewriteRule /(.*) https://wiki.example.com/$1 [R,L,QSA]
You'll need to make sure it's either in a HTTP VirtualHost or add a
RewriteCond to check it was a HTTP request, possibly using
%{SERVER_PROTOCOL}.  Once you've redirected to HTTPS your browser should
stay using HTTPS, protecting the cookies MediaWiki sets.

-- 
John Tobin
"OS/370 is a truly remarkable operating system. It's possible to destroy
days of work with a single misplaced space, so alertness in the
programming staff is encouraged."
                   -- http://www.pbm.com/~lindahl/real.programmers.html