Freephile Wiki

Pretty URL/mediawiki: Difference between revisions

Browse history interactively
← Older edit
VisualWikitext
No edit summary
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
The purpose of this page is to merge two different configurations for Pretty URLs for MediaWiki on Nginx into the ultimate configuration.  The first is my current configuration which is a combination of what comes from DebOps, and the code found on MediaWiki.org.  The second is the suggested configuration from shorturls.redwerks.com
The purpose of this page is to merge two different configurations for Pretty URLs for MediaWiki on Nginx into the ultimate configuration.  The first is my current configuration which is a combination of what comes from DebOps, and the code found on MediaWiki.org.  The second is the suggested configuration from shorturls.redwerks.com The [https://github.com/wikimedia/translatewiki/blob/master/puppet/modules/nginx/files/translatewiki.net configuration file for translatewiki.net] as provided by @nikerabbit should be used as a reference in simplicity.




Line 211: Line 211:


== The Ultimate Pretty URL configuration for MediaWiki on Nginx ==
== The Ultimate Pretty URL configuration for MediaWiki on Nginx ==
<div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div>
<syntaxhighlight lang="php" line>
<syntaxhighlight lang="php" line>
# This file is managed remotely, all changes will be lost
# nginx server configuration for:
#    - https://wiki.ncigt.org/


server {
server {
    listen 80;
    listen [::]:80;
    server_name wiki.ncigt.org;
    root /var/www/clients/wiki.ncigt.org;
    include snippets/acme-challenge.conf;
    location / {
            return 301 https://$host$request_uri;
    }
}
server {
    listen 443 ssl;
    listen [::]:443 ssl http2;
    ssl_certificate          /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;
    ssl_certificate_key      /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;
    ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers              "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs
    ssl_dhparam              /etc/pki/dhparam/set0;
    ssl_ecdh_curve            secp384r1;
    ssl_stapling              on;
    ssl_stapling_verify      on;
    ssl_trusted_certificate  /etc/pki/realms/domain/trusted.crt;
    resolver                  8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout          5s;
    add_header                Strict-Transport-Security "max-age=15768000; includeSubDomains";
    add_header                X-Content-Type-Options "nosniff" always;
    add_header                X-Frame-Options "SAMEORIGIN" always;
    add_header                X-XSS-Protection "1; mode=block";
    add_header                Referrer-Policy "same-origin";
    server_name wiki.ncigt.org;
    root /var/www/clients/wiki.ncigt.org;
    include snippets/acme-challenge.conf;
    keepalive_timeout 60;
    access_log /var/log/nginx/wiki.ncigt.org_access.log;
    error_log /var/log/nginx/wiki.ncigt.org_error.log;
    index index.html index.htm index.php;
    # [...]
    # setup simple way to take site down
    if (-f $document_root/maintenance.html) {
        return 503;
    }
    error_page 503 @maintenance;
    location @maintenance {
        rewrite ^(.*)$ /maintenance.html break;
    }
    # Disallow access to hidden files and directories, except `/.well-known/`
    # https://www.mnot.net/blog/2010/04/07/well-known
    # https://tools.ietf.org/html/rfc5785
    location ~ /\.(?!well-known/) {
        return 404;
    }


         # [...]
    location = /nginx_status {
         stub_status on;
        access_log off;
        allow 127.0.0.1/32;
        allow ::1/128;
        allow 67.205.190.17;
        allow 10.10.0.11;
        allow 10.136.225.163;
        deny all;
    }
    # Favicon
    location = /favicon.ico {
        alias /w/images/6/64/Favicon.ico;
        add_header Cache-Control "public";
        expires 7d;
        access_log off;
        log_not_found off;
    }


         if (-f $document_root/maintenance.html) {
    # Location for the wiki's root
                return 503;
    location /w/ {
         # Do this inside of a location so it can be negated
        location ~ \.php$ {
            try_files $uri $uri/ =404; # Don't let php execute non-existent php files
            include fastcgi.conf;
            #Mitigate HTTPOXY attacks (https://httpoxy.org)
            fastcgi_param HTTP_PROXY "";
            fastcgi_pass php5_www-data;
        }
        # MediaWiki assets (usually images)
        location ~ ^/w/resources/(assets|lib|src) {
            try_files $uri 404;
            add_header Cache-Control "public";
            expires 7d;
         }
         }
         error_page 503 @maintenance;
         # Assets, scripts and styles from skins and extensions
         location @maintenance {
         location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
                rewrite ^(.*)$ /maintenance.html break;
            try_files $uri 404;
            add_header Cache-Control "public";
            expires 7d;
         }
         }
    }


        # Disallow access to hidden files and directories, except `/.well-known/`
    # Separate location for images/ so .php execution won't apply
         # https://www.mnot.net/blog/2010/04/07/well-known
    location /w/images {
        # https://tools.ietf.org/html/rfc5785
       
        location ~ /\.(?!well-known/) {
         location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
                return 404;
            # Thumbnail handler for MediaWiki
            # This location only matches on a thumbnail's url
            # If the file does not exist we use @thumb to run the thumb.php script
            try_files $uri $uri/ @thumb;
         }
         }
    }
    # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
    location @thumb {
        # Do a rewrite here so that thumb.php gets the correct arguments
        rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
        rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
       
        # Run the thumb.php script
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME    $document_root/w/thumb.php;
        fastcgi_pass php5_www-data;
    }


        location = /nginx_status {
    # Deny access to deleted images folder
                stub_status on;
    location /w/images/deleted { deny    all; }
                access_log off;
   
                allow 127.0.0.1/32;
    # Deny access to folders MediaWiki has a .htaccess deny in
                allow ::1/128;
    location /w/cache      { deny all; }
                allow 67.205.190.17;
    location /w/languages  { deny all; }
                allow 10.10.0.11;
    location /w/maintenance { deny all; }
                allow 10.136.225.163;
    location /w/serialized  { deny all; }
                deny all;
        }


    # Deny access to the installer
    location /w/mw-config { deny all; }


    # Handling for the article path
    location /wiki {
        include /etc/nginx/fastcgi_params;
        # article path should always be passed to index.php
        fastcgi_param SCRIPT_FILENAME    $document_root/w/index.php;
        fastcgi_pass php5_www-data;
    }
}
</syntaxhighlight>
</syntaxhighlight>
Retrieved from "https://wiki.freephile.org/wiki/Pretty_URL/mediawiki"