# Sample bin/.htaccess file.   If you require .htaccess files for your apache
# configuration, tailor this file using the below instructions.
#
# Controls access to Foswiki scripts - to make Apache use it, rename this
# file to 'bin/.htaccess' and REPLACE THE FOLLOWING STRINGS WHEREVER YOU SEE
# THEM IN THIS FILE WITH PATHS SPECIFIC TO YOUR INSTALLATION.
# Most required values have corresponding items in the  Path Settings section of
# configure.   The following 4 strings must be updated:
#
# {DataDir}
# {DefaultUrlHost}
# {ScriptUrlPath}
# {Administrators}
#
# Replace {DataDir} with the full path of the Topic files store (file path, not
# URL) e.g. /usr/local/foswiki/data   Do not include a trailing slash.  Do not
# include the { or } in the results.
#
# Example:   "Change all"  {DataDir} /var/www/foswiki/data
#   AuthUserFile {DataDir}/.htpasswd      becomes
#   AuthUserFile /var/www/foswiki/data/.htpasswd
#
# Replace {DefaultUrlHost} with the root of all Foswiki URLs e.g.
# http://myhost.com:123.  This is only used for htdigest authentication and
# can be ignored in most installations.  Do not include a trailing slash
#
# Replace {ScriptUrlPath} with the 'cgi-bin' part of URLs used
# to access the Foswiki bin  directory e.g. '/foswiki/cgi-bin'
#
# Note:  The combined {DefaultUrlHost}{ScriptUrlPath} will be used as the URL prefix:
# to access the foswiki scripts.  For example, to access the /view script:
#    http://myhost.com:123/foswiki/cgi-bin/view
#    {DefaultUrlHost     }{ScriptUrlPath }/view
#
# Replace {Administrators} with a space-separated list of the login
# name(s) of the person(s) allowed to run the configure script
# e.g. admin configure root superhero
# Note that these users must typically be added to .htpasswd manually if
# Foswiki is not operational enough to register the users.
#
# When this file has been completely tailored, complete your configuration at:
# {DefaultUrlHost}{ScriptUrlPath}/configure

# We set an environment variable called anonymous_spider
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a Foswiki
# Example:
# BrowserMatchNoCase ^SiteSucker anonymous_spider
BrowserMatchNoCase ^$ anonymous_spider

# Now set default access rights.
Order Allow,Deny
Allow from all
Deny from env=anonymous_spider

# Use CGI & Perl to handle all files in 'bin' directory, i.e. run as scripts -
# this should remove the need to rename files to end in '.pl' etc, if your web
# hosting provider permits this.  Remove if using mod_perl.  Look at
# http://foswiki.org/Extensions/FastCGIEngineContrib to get info about FastCGI
# support.
SetHandler cgi-script

# Password file for Foswiki users
#

# Authentication type (htpasswd file) (comment out this if you configure htpasswd / LDAP support)
AuthUserFile {DataDir}/.htpasswd
AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic

#for htdigest password suport uncomment the following
#AuthDigestDomain / {DefaultUrlHost}
#AuthDigestFile {DataDir}/.htdigest
#BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
#AuthDigestProvider file
#AuthUserFile {DataDir}/.htpasswd
# For "Digest" authentication to work properly, this string must match
# the value of configuration variable $authRealm
#AuthName 'Enter your WikiName. (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
#AuthType Digest

#for LDAP password support uncomment the following (and fix up the paths)
#AuthLDAPURL ldap://yourldapserver/dc=yourldapserver,dc=com?uid?sub?(objectClass=posixAccount)
#AuthLDAPGroupAttribute memberUid
#AuthLDAPGroupAttributeIsDN off
#<Limit GET POST PUT>
#    require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
#</Limit>
#AuthName ByPassword
#AuthType Basic

# File to return on access control error (e.g. wrong password)
# By convention this is the UserRegistration page, that allows users
# to register with the Foswiki. Apache requires this to be a *local* path.
# Comment this out if you setup Foswiki to completely deny access to WikiGuest
# in all webs or change the path to a static html page.
ErrorDocument 401 {ScriptUrlPath}/view/System/UserRegistration
# Alternatively if your users are all known to be registered you may want
# to redirect them to the ResetPassword page.
# ErrorDocument 401 {ScriptUrlPath}/view/System/ResetPassword 

# Set options for excuting CGI and allow symlinks for e.g. viewauth
# This also unsets any options allowing directory indexing etc.
Options ExecCGI FollowSymLinks

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# IP addresses are entered space delimited, and can wildcarded by
# omitting octets from the end,  ie,  Allow from 127 192.168
# The configure script is designed for administrators only.
# The script itself and the information it reveals can be abused by
# attackers if not properly protected against public access.
#  - ErrorDocument should point to apache default - redirecting to a Foswiki 
#    script may not be functional yet.
<FilesMatch "configure.*">
	SetHandler cgi-script
	Order Deny,Allow
	Deny from all
	Allow from 127.0.0.1 192.168.1.10
	Require user {Administrators}
	Satisfy Any
	ErrorDocument 401 default
</FilesMatch>

# These are scripts that might change content. The regular expression uses ".*"
# at the end so it matches the scripts even if you had to add a .cgi or .pl
# extension. If you want to require login for any other scripts, modify the
# regular expression below as appropriate.

# NB. The resetpasswd & passwd scripts are used to reset and change passwords.
# They do their own validation of the user and therefore
# should not use "require valid-user"

# When using Apache type login the following defines the Foswiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view, resetpasswd & passwd are not authenticated.
# (un-comment to activate)
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#       require valid-user
#</FilesMatch>