Difference between revisions of "Pretty URL/mediawiki"
Jump to navigation
Jump to search
Line 211: | Line 211: | ||
== The Ultimate Pretty URL configuration for MediaWiki on Nginx == | == The Ultimate Pretty URL configuration for MediaWiki on Nginx == | ||
+ | <div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div> | ||
<syntaxhighlight lang="php" line> | <syntaxhighlight lang="php" line> | ||
+ | # This file is managed remotely, all changes will be lost | ||
+ | # nginx server configuration for: | ||
+ | # - https://wiki.ncigt.org/ | ||
+ | server { | ||
+ | listen 80; | ||
+ | listen [::]:80; | ||
+ | server_name wiki.ncigt.org; | ||
+ | root /var/www/clients/wiki.ncigt.org; | ||
+ | include snippets/acme-challenge.conf; | ||
+ | location / { | ||
+ | return 301 https://$host$request_uri; | ||
+ | } | ||
+ | } | ||
server { | server { | ||
+ | listen 443 ssl; | ||
+ | listen [::]:443 ssl http2; | ||
+ | |||
+ | ssl_certificate /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem; | ||
+ | ssl_certificate_key /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem; | ||
+ | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs | ||
+ | ssl_dhparam /etc/pki/dhparam/set0; | ||
+ | ssl_ecdh_curve secp384r1; | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | ssl_trusted_certificate /etc/pki/realms/domain/trusted.crt; | ||
+ | resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
+ | resolver_timeout 5s; | ||
+ | add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; | ||
+ | add_header X-Content-Type-Options "nosniff" always; | ||
+ | add_header X-Frame-Options "SAMEORIGIN" always; | ||
+ | add_header X-XSS-Protection "1; mode=block"; | ||
+ | add_header Referrer-Policy "same-origin"; | ||
+ | |||
+ | server_name wiki.ncigt.org; | ||
+ | |||
+ | root /var/www/clients/wiki.ncigt.org; | ||
+ | |||
+ | include snippets/acme-challenge.conf; | ||
+ | |||
+ | keepalive_timeout 60; | ||
+ | |||
+ | access_log /var/log/nginx/wiki.ncigt.org_access.log; | ||
+ | error_log /var/log/nginx/wiki.ncigt.org_error.log; | ||
+ | index index.html index.htm index.php; | ||
# [...] | # [...] | ||
+ | # setup simple way to take site down | ||
if (-f $document_root/maintenance.html) { | if (-f $document_root/maintenance.html) { | ||
− | + | return 503; | |
} | } | ||
error_page 503 @maintenance; | error_page 503 @maintenance; | ||
location @maintenance { | location @maintenance { | ||
− | + | rewrite ^(.*)$ /maintenance.html break; | |
} | } | ||
Line 233: | Line 280: | ||
# https://tools.ietf.org/html/rfc5785 | # https://tools.ietf.org/html/rfc5785 | ||
location ~ /\.(?!well-known/) { | location ~ /\.(?!well-known/) { | ||
− | + | return 404; | |
} | } | ||
location = /nginx_status { | location = /nginx_status { | ||
− | + | stub_status on; | |
− | + | access_log off; | |
− | + | allow 127.0.0.1/32; | |
− | + | allow ::1/128; | |
− | + | allow 67.205.190.17; | |
− | + | allow 10.10.0.11; | |
− | + | allow 10.136.225.163; | |
− | + | deny all; | |
} | } | ||
# Favicon | # Favicon | ||
location = /favicon.ico { | location = /favicon.ico { | ||
− | + | alias /w/images/6/64/Favicon.ico; | |
− | + | add_header Cache-Control "public"; | |
− | + | expires 7d; | |
− | + | access_log off; | |
− | + | log_not_found off; | |
} | } | ||
− | + | # Location for the wiki's root | |
− | + | location /w/ { | |
− | + | # Do this inside of a location so it can be negated | |
− | + | location ~ \.php$ { | |
− | + | try_files $uri $uri/ =404; # Don't let php execute non-existent php files | |
− | + | include fastcgi.conf; | |
− | + | #Mitigate HTTPOXY attacks (https://httpoxy.org) | |
− | + | fastcgi_param HTTP_PROXY ""; | |
− | + | fastcgi_pass php5_www-data; | |
− | + | } | |
# MediaWiki assets (usually images) | # MediaWiki assets (usually images) | ||
location ~ ^/w/resources/(assets|lib|src) { | location ~ ^/w/resources/(assets|lib|src) { | ||
− | + | try_files $uri 404; | |
− | + | add_header Cache-Control "public"; | |
− | + | expires 7d; | |
} | } | ||
# Assets, scripts and styles from skins and extensions | # Assets, scripts and styles from skins and extensions | ||
location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ { | location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ { | ||
− | + | try_files $uri 404; | |
− | + | add_header Cache-Control "public"; | |
− | + | expires 7d; | |
} | } | ||
− | + | } | |
− | + | # Separate location for images/ so .php execution won't apply | |
− | + | location /w/images { | |
− | + | ||
− | + | location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ { | |
− | + | # Thumbnail handler for MediaWiki | |
− | + | # This location only matches on a thumbnail's url | |
− | + | # If the file does not exist we use @thumb to run the thumb.php script | |
− | + | try_files $uri $uri/ @thumb; | |
− | + | } | |
− | + | } | |
# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist | # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist | ||
− | + | location @thumb { | |
− | + | # Do a rewrite here so that thumb.php gets the correct arguments | |
− | + | rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2; | |
− | + | rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1; | |
− | + | ||
− | + | # Run the thumb.php script | |
− | + | include /etc/nginx/fastcgi_params; | |
− | + | fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php; | |
− | + | fastcgi_pass php5_www-data; | |
− | + | } | |
− | + | # Deny access to deleted images folder | |
− | + | location /w/images/deleted { deny all; } | |
− | + | ||
− | + | # Deny access to folders MediaWiki has a .htaccess deny in | |
− | + | location /w/cache { deny all; } | |
− | + | location /w/languages { deny all; } | |
− | + | location /w/maintenance { deny all; } | |
− | + | location /w/serialized { deny all; } | |
# Deny access to the installer | # Deny access to the installer | ||
− | + | location /w/mw-config { deny all; } | |
# Handling for the article path | # Handling for the article path | ||
− | + | location /wiki { | |
− | + | include /etc/nginx/fastcgi_params; | |
− | + | # article path should always be passed to index.php | |
− | + | fastcgi_param SCRIPT_FILENAME $document_root/w/index.php; | |
− | + | fastcgi_pass php5_www-data; | |
− | + | } | |
− | + | } | |
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 08:44, 15 November 2019
The purpose of this page is to merge two different configurations for Pretty URLs for MediaWiki on Nginx into the ultimate configuration. The first is my current configuration which is a combination of what comes from DebOps, and the code found on MediaWiki.org. The second is the suggested configuration from shorturls.redwerks.com
My Nginx Conf[edit | edit source]
1 server {
2
3 # [...]
4
5 if (-f $document_root/maintenance.html) {
6 return 503;
7 }
8 error_page 503 @maintenance;
9 location @maintenance {
10 rewrite ^(.*)$ /maintenance.html break;
11 }
12
13 # Disallow access to hidden files and directories, except `/.well-known/`
14 # https://www.mnot.net/blog/2010/04/07/well-known
15 # https://tools.ietf.org/html/rfc5785
16 location ~ /\.(?!well-known/) {
17 return 404;
18 }
19
20 #location = /favicon.ico {
21 # try_files /favicon.ico =204;
22 # access_log off;
23 # log_not_found off;
24 #}
25
26 location = /nginx_status {
27 stub_status on;
28 access_log off;
29 allow 127.0.0.1/32;
30 allow ::1/128;
31 allow 67.205.190.17;
32 allow 10.10.0.11;
33 allow 10.136.225.163;
34 deny all;
35 }
36
37 location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
38 try_files $script_name =404;
39
40 include fastcgi.conf;
41
42 # Mitigate HTTPOXY attacks (https://httpoxy.org/)
43 fastcgi_param HTTP_PROXY "";
44
45 fastcgi_index index.php;
46 fastcgi_pass php5_www-data;
47 }
48
49 location ~ ^(?<script_name>.+\.php)(?<path_info>/.*)$ {
50 try_files $script_name =404;
51
52 include fastcgi_params;
53 fastcgi_param SCRIPT_FILENAME $document_root$script_name;
54 fastcgi_param PATH_INFO $path_info;
55 #fastcgi_param PATH_TRANSLATED $document_root$path_info;
56
57 # Mitigate HTTPOXY attacks (https://httpoxy.org/)
58 fastcgi_param HTTP_PROXY "";
59
60 fastcgi_index index.php;
61 fastcgi_pass php5_www-data;
62 }
63 #### All the following rules added for pretty URLs
64 location ~ ^/w/(index|load|api|thumb|opensearch_desc)\.php$ {
65 include /etc/nginx/fastcgi_params;
66 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
67 fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
68 }
69
70 # Images
71 location /w/images {
72 # Separate location for images/ so .php execution won't apply
73 }
74 location /w/images/deleted {
75 # Deny access to deleted images folder
76 deny all;
77 }
78 # MediaWiki assets (usually images)
79 location ~ ^/w/resources/(assets|lib|src) {
80 try_files $uri 404;
81 add_header Cache-Control "public";
82 expires 7d;
83 }
84 # Assets, scripts and styles from skins and extensions
85 location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
86 try_files $uri 404;
87 add_header Cache-Control "public";
88 expires 7d;
89 }
90 # Favicon
91 location = /favicon.ico {
92 alias /w/images/6/64/Favicon.ico;
93 add_header Cache-Control "public";
94 expires 7d;
95 access_log off;
96 log_not_found off;
97 }
98
99 ## Uncomment the following code if you wish to use the installer/updater
100 ## installer/updater
101 #location /w/mw-config/ {
102 # # Do this inside of a location so it can be negated
103 # location ~ \.php$ {
104 # include /etc/nginx/fastcgi_params;
105 # fastcgi_param SCRIPT_FILENAME $document_root/w/mw-config/$fastcgi_script_name;
106 # fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
107 # }
108 #}
109
110 # Handling for the article path (pretty URLs)
111 location /wiki/ {
112 rewrite ^/wiki(?:/(?<pagename>.*))$ /w/index.php;
113 }
114
115 # Allow robots.txt in case you have one
116 location = /robots.txt {
117 }
118 # Explicit access to the root website, redirect to main page (adapt as needed)
119 # location = / {
120 # return 301 /wiki/Main_Page;
121 # }
122
123 # # Every other entry point will be disallowed.
124 # # Add specific rules for other entry points/images as needed above this
125 # location / {
126 # return 404;
127 # }
128 #### All the above rules added for pretty URLs
129 client_max_body_size 500m;
130 }
RedWerks Short URL[edit | edit source]
from https://shorturls.redwerks.org/?url=https%3A%2F%2Fwww.slicer.org%2Fwiki%2F
1 server {
2 # [...]
3
4 # Location for the wiki's root
5 location /w/ {
6 # Do this inside of a location so it can be negated
7 location ~ \.php$ {
8 try_files $uri $uri/ =404; # Don't let php execute non-existent php files
9 include /etc/nginx/fastcgi_params;
10 fastcgi_pass 127.0.0.1:9000;
11 }
12 }
13
14 location /w/images {
15 # Separate location for images/ so .php execution won't apply
16
17 location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
18 # Thumbnail handler for MediaWiki
19 # This location only matches on a thumbnail's url
20 # If the file does not exist we use @thumb to run the thumb.php script
21 try_files $uri $uri/ @thumb;
22 }
23 }
24 location /w/images/deleted {
25 # Deny access to deleted images folder
26 deny all;
27 }
28
29 # Deny access to folders MediaWiki has a .htaccess deny in
30 location /w/cache { deny all; }
31 location /w/languages { deny all; }
32 location /w/maintenance { deny all; }
33 location /w/serialized { deny all; }
34
35 # Just in case, hide .svn and .git too
36 location ~ /.(svn|git)(/|$) { deny all; }
37
38 # Hide any .htaccess files
39 location ~ /.ht { deny all; }
40
41 # Uncomment the following code if you wish to hide the installer/updater
42 ## Deny access to the installer
43 #location /w/mw-config { deny all; }
44
45 # Handling for the article path
46 location /wiki {
47 include /etc/nginx/fastcgi_params;
48 # article path should always be passed to index.php
49 fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;
50 fastcgi_pass 127.0.0.1:9000;
51 }
52
53 # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
54 location @thumb {
55 # Do a rewrite here so that thumb.php gets the correct arguments
56 rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
57 rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
58
59 # Run the thumb.php script
60 include /etc/nginx/fastcgi_params;
61 fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;
62 fastcgi_pass 127.0.0.1:9000;
63 }
64
65 # [...]
66 }
The Ultimate Pretty URL configuration for MediaWiki on Nginx[edit | edit source]
Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)
1 # This file is managed remotely, all changes will be lost
2
3 # nginx server configuration for:
4 # - https://wiki.ncigt.org/
5
6 server {
7 listen 80;
8 listen [::]:80;
9 server_name wiki.ncigt.org;
10 root /var/www/clients/wiki.ncigt.org;
11 include snippets/acme-challenge.conf;
12 location / {
13 return 301 https://$host$request_uri;
14 }
15 }
16
17 server {
18 listen 443 ssl;
19 listen [::]:443 ssl http2;
20
21 ssl_certificate /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;
22 ssl_certificate_key /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;
23 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
24 ssl_prefer_server_ciphers on;
25 ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs
26 ssl_dhparam /etc/pki/dhparam/set0;
27 ssl_ecdh_curve secp384r1;
28 ssl_stapling on;
29 ssl_stapling_verify on;
30 ssl_trusted_certificate /etc/pki/realms/domain/trusted.crt;
31 resolver 8.8.8.8 8.8.4.4 valid=300s;
32 resolver_timeout 5s;
33 add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
34 add_header X-Content-Type-Options "nosniff" always;
35 add_header X-Frame-Options "SAMEORIGIN" always;
36 add_header X-XSS-Protection "1; mode=block";
37 add_header Referrer-Policy "same-origin";
38
39 server_name wiki.ncigt.org;
40
41 root /var/www/clients/wiki.ncigt.org;
42
43 include snippets/acme-challenge.conf;
44
45 keepalive_timeout 60;
46
47 access_log /var/log/nginx/wiki.ncigt.org_access.log;
48 error_log /var/log/nginx/wiki.ncigt.org_error.log;
49 index index.html index.htm index.php;
50
51 # [...]
52
53 # setup simple way to take site down
54 if (-f $document_root/maintenance.html) {
55 return 503;
56 }
57 error_page 503 @maintenance;
58 location @maintenance {
59 rewrite ^(.*)$ /maintenance.html break;
60 }
61
62 # Disallow access to hidden files and directories, except `/.well-known/`
63 # https://www.mnot.net/blog/2010/04/07/well-known
64 # https://tools.ietf.org/html/rfc5785
65 location ~ /\.(?!well-known/) {
66 return 404;
67 }
68
69 location = /nginx_status {
70 stub_status on;
71 access_log off;
72 allow 127.0.0.1/32;
73 allow ::1/128;
74 allow 67.205.190.17;
75 allow 10.10.0.11;
76 allow 10.136.225.163;
77 deny all;
78 }
79 # Favicon
80 location = /favicon.ico {
81 alias /w/images/6/64/Favicon.ico;
82 add_header Cache-Control "public";
83 expires 7d;
84 access_log off;
85 log_not_found off;
86 }
87
88 # Location for the wiki's root
89 location /w/ {
90 # Do this inside of a location so it can be negated
91 location ~ \.php$ {
92 try_files $uri $uri/ =404; # Don't let php execute non-existent php files
93 include fastcgi.conf;
94 #Mitigate HTTPOXY attacks (https://httpoxy.org)
95 fastcgi_param HTTP_PROXY "";
96 fastcgi_pass php5_www-data;
97 }
98 # MediaWiki assets (usually images)
99 location ~ ^/w/resources/(assets|lib|src) {
100 try_files $uri 404;
101 add_header Cache-Control "public";
102 expires 7d;
103 }
104 # Assets, scripts and styles from skins and extensions
105 location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
106 try_files $uri 404;
107 add_header Cache-Control "public";
108 expires 7d;
109 }
110 }
111
112 # Separate location for images/ so .php execution won't apply
113 location /w/images {
114
115 location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
116 # Thumbnail handler for MediaWiki
117 # This location only matches on a thumbnail's url
118 # If the file does not exist we use @thumb to run the thumb.php script
119 try_files $uri $uri/ @thumb;
120 }
121 }
122 # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
123 location @thumb {
124 # Do a rewrite here so that thumb.php gets the correct arguments
125 rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
126 rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
127
128 # Run the thumb.php script
129 include /etc/nginx/fastcgi_params;
130 fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;
131 fastcgi_pass php5_www-data;
132 }
133
134 # Deny access to deleted images folder
135 location /w/images/deleted { deny all; }
136
137 # Deny access to folders MediaWiki has a .htaccess deny in
138 location /w/cache { deny all; }
139 location /w/languages { deny all; }
140 location /w/maintenance { deny all; }
141 location /w/serialized { deny all; }
142
143 # Deny access to the installer
144 location /w/mw-config { deny all; }
145
146 # Handling for the article path
147 location /wiki {
148 include /etc/nginx/fastcgi_params;
149 # article path should always be passed to index.php
150 fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;
151 fastcgi_pass php5_www-data;
152 }
153 }