Pretty URL/mediawiki: Difference between revisions

Line 211:

== The Ultimate Pretty URL configuration for MediaWiki on Nginx ==

<div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div>

# This file is managed remotely, all changes will be lost

# nginx server configuration for:

# - https://wiki.ncigt.org/

server {

listen 80;

listen [::]:80;

server_name wiki.ncigt.org;

root /var/www/clients/wiki.ncigt.org;

include snippets/acme-challenge.conf;

location / {

return 301 https://$host$request_uri;

}

server {

listen 443 ssl;

listen [::]:443 ssl http2;

ssl_certificate /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs

ssl_dhparam /etc/pki/dhparam/set0;

ssl_ecdh_curve secp384r1;

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/pki/realms/domain/trusted.crt;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

add_header X-Content-Type-Options "nosniff" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-XSS-Protection "1; mode=block";

add_header Referrer-Policy "same-origin";

server_name wiki.ncigt.org;

root /var/www/clients/wiki.ncigt.org;

include snippets/acme-challenge.conf;

keepalive_timeout 60;

access_log /var/log/nginx/wiki.ncigt.org_access.log;

error_log /var/log/nginx/wiki.ncigt.org_error.log;

index index.html index.htm index.php;

# [...]

# setup simple way to take site down

if (-f $document_root/maintenance.html) {

return 503;

}

error_page 503 @maintenance;

location @maintenance {

rewrite ^(.*)$ /maintenance.html break;

}

Line 233:

Line 280:

# https://tools.ietf.org/html/rfc5785

location ~ /\.(?!well-known/) {

return 404;

}

location = /nginx_status {

stub_status on;

access_log off;

allow 127.0.0.1/32;

allow ::1/128;

allow 67.205.190.17;

allow 10.10.0.11;

allow 10.136.225.163;

deny all;

}

# Favicon

location = /favicon.ico {

alias /w/images/6/64/Favicon.ico;

add_header Cache-Control "public";

expires 7d;

access_log off;

log_not_found off;

}

# Location for the wiki's root

location /w/ {

# Do this inside of a location so it can be negated

location ~ \.php$ {

try_files $uri $uri/ =404; # Don't let php execute non-existent php files

include fastcgi.conf;

#Mitigate HTTPOXY attacks (https://httpoxy.org)

fastcgi_param HTTP_PROXY "";

fastcgi_pass ~~127.0.0.1:9000~~;

fastcgi_pass php5_www-data;

}

# MediaWiki assets (usually images)

location ~ ^/w/resources/(assets|lib|src) {

try_files $uri 404;

add_header Cache-Control "public";

expires 7d;

}

# Assets, scripts and styles from skins and extensions

location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {

try_files $uri 404;

add_header Cache-Control "public";

expires 7d;

}

# Separate location for images/ so .php execution won't apply

location /w/images {

location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {

# Thumbnail handler for MediaWiki

# This location only matches on a thumbnail's url

# If the file does not exist we use @thumb to run the thumb.php script

try_files $uri $uri/ @thumb;

}

# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist

location @thumb {

# Do a rewrite here so that thumb.php gets the correct arguments

rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;

rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;

# Run the thumb.php script

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;

fastcgi_pass ~~127.0.0.1:9000~~;

fastcgi_pass php5_www-data;

}

# Deny access to deleted images folder

location /w/images/deleted { deny all; }

# Deny access to folders MediaWiki has a .htaccess deny in

location /w/cache { deny all; }

location /w/languages { deny all; }

location /w/maintenance { deny all; }

location /w/serialized { deny all; }

# Deny access to the installer

location /w/mw-config { deny all; }

# Handling for the article path

location /wiki {

include /etc/nginx/fastcgi_params;

# article path should always be passed to index.php

fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;

fastcgi_pass ~~127.0.0.1:9000~~;

fastcgi_pass php5_www-data;

}

</syntaxhighlight>

@@ Line 211: / Line 211: @@
 == The Ultimate Pretty URL configuration for MediaWiki on Nginx ==
+<div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div>
 <syntaxhighlight lang="php" line>
+# This file is managed remotely, all changes will be lost
+# nginx server configuration for:
+#    - https://wiki.ncigt.org/
+server {
+    listen 80;
+    listen [::]:80;
+    server_name wiki.ncigt.org;
+    root /var/www/clients/wiki.ncigt.org;
+    include snippets/acme-challenge.conf;
+    location / {
+            return 301 https://$host$request_uri;
+    }
+}
 server {
+    listen 443 ssl;
+    listen [::]:443 ssl http2;
+    ssl_certificate           /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;
+    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs
+    ssl_dhparam               /etc/pki/dhparam/set0;
+    ssl_ecdh_curve            secp384r1;
+    ssl_stapling              on;
+    ssl_stapling_verify       on;
+    ssl_trusted_certificate   /etc/pki/realms/domain/trusted.crt;
+    resolver                  8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout          5s;
+    add_header                Strict-Transport-Security "max-age=15768000; includeSubDomains";
+    add_header                X-Content-Type-Options "nosniff" always;
+    add_header                X-Frame-Options "SAMEORIGIN" always;
+    add_header                X-XSS-Protection "1; mode=block";
+    add_header                Referrer-Policy "same-origin";
+    server_name wiki.ncigt.org;
+    root /var/www/clients/wiki.ncigt.org;
+    include snippets/acme-challenge.conf;
+    keepalive_timeout 60;
+    access_log /var/log/nginx/wiki.ncigt.org_access.log;
+    error_log /var/log/nginx/wiki.ncigt.org_error.log;
+    index index.html index.htm index.php;
      # [...]
+    # setup simple way to take site down
      if (-f $document_root/maintenance.html) {
-            return 503;
+        return 503;
      }
      error_page 503 @maintenance;
      location @maintenance {
-            rewrite ^(.*)$ /maintenance.html break;
+        rewrite ^(.*)$ /maintenance.html break;
      }
@@ Line 233: / Line 280: @@
      # https://tools.ietf.org/html/rfc5785
      location ~ /\.(?!well-known/) {
-            return 404;
+        return 404;
      }
      location = /nginx_status {
-            stub_status on;
+        stub_status on;
-            access_log off;
+        access_log off;
-            allow 127.0.0.1/32;
+        allow 127.0.0.1/32;
-            allow ::1/128;
+        allow ::1/128;
-            allow 67.205.190.17;
+        allow 67.205.190.17;
-            allow 10.10.0.11;
+        allow 10.10.0.11;
-            allow 10.136.225.163;
+        allow 10.136.225.163;
-            deny all;
+        deny all;
      }
      # Favicon
      location = /favicon.ico {
-            alias /w/images/6/64/Favicon.ico;
+        alias /w/images/6/64/Favicon.ico;
-            add_header Cache-Control "public";
+        add_header Cache-Control "public";
-            expires 7d;
+        expires 7d;
-            access_log off;
+        access_log off;
-            log_not_found off;
+        log_not_found off;
      }
-	# Location for the wiki's root
+    # Location for the wiki's root
-	location /w/ {
+    location /w/ {
-		# Do this inside of a location so it can be negated
+        # Do this inside of a location so it can be negated
-		location ~ \.php$ {
+        location ~ \.php$ {
-			try_files $uri $uri/ =404; # Don't let php execute non-existent php files
+            try_files $uri $uri/ =404; # Don't let php execute non-existent php files
-			include fastcgi.conf;
+            include fastcgi.conf;
-                        #Mitigate HTTPOXY attacks (https://httpoxy.org)
+            #Mitigate HTTPOXY attacks (https://httpoxy.org)
-                        fastcgi_param HTTP_PROXY "";
+            fastcgi_param HTTP_PROXY "";
-			fastcgi_pass 127.0.0.1:9000;
+            fastcgi_pass php5_www-data;
-		}
+        }
          # MediaWiki assets (usually images)
          location ~ ^/w/resources/(assets|lib|src) {
-                try_files $uri 404;
+            try_files $uri 404;
-                add_header Cache-Control "public";
+            add_header Cache-Control "public";
-                expires 7d;
+            expires 7d;
          }
          # Assets, scripts and styles from skins and extensions
          location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
-                try_files $uri 404;
+            try_files $uri 404;
-                add_header Cache-Control "public";
+            add_header Cache-Control "public";
-                expires 7d;
+            expires 7d;
          }
-	}
+    }
-	# Separate location for images/ so .php execution won't apply
+    # Separate location for images/ so .php execution won't apply
-	location /w/images {
+    location /w/images {
-		location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
+        location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
-			# Thumbnail handler for MediaWiki
+            # Thumbnail handler for MediaWiki
-			# This location only matches on a thumbnail's url
+            # This location only matches on a thumbnail's url
-			# If the file does not exist we use @thumb to run the thumb.php script
+            # If the file does not exist we use @thumb to run the thumb.php script
-			try_files $uri $uri/ @thumb;
+            try_files $uri $uri/ @thumb;
-		}
+        }
-	}
+    }
      # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
-	location @thumb {
+    location @thumb {
-		# Do a rewrite here so that thumb.php gets the correct arguments
+        # Do a rewrite here so that thumb.php gets the correct arguments
-		rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
+        rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
-		rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
+        rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
-		# Run the thumb.php script
+        # Run the thumb.php script
-		include /etc/nginx/fastcgi_params;
+        include /etc/nginx/fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME	$document_root/w/thumb.php;
+        fastcgi_param SCRIPT_FILENAME    $document_root/w/thumb.php;
-		fastcgi_pass  127.0.0.1:9000;
+        fastcgi_pass php5_www-data;
-	}
+    }
-	# Deny access to deleted images folder
+    # Deny access to deleted images folder
-	location /w/images/deleted { deny	all; }
+    location /w/images/deleted { deny    all; }
-	# Deny access to folders MediaWiki has a .htaccess deny in
+    # Deny access to folders MediaWiki has a .htaccess deny in
-	location /w/cache       { deny all; }
+    location /w/cache       { deny all; }
-	location /w/languages   { deny all; }
+    location /w/languages   { deny all; }
-	location /w/maintenance { deny all; }
+    location /w/maintenance { deny all; }
-	location /w/serialized  { deny all; }
+    location /w/serialized  { deny all; }
      # Deny access to the installer
-	location /w/mw-config { deny all; }
+    location /w/mw-config { deny all; }
      # Handling for the article path
-	location /wiki {
+    location /wiki {
-		include /etc/nginx/fastcgi_params;
+        include /etc/nginx/fastcgi_params;
-		# article path should always be passed to index.php
+        # article path should always be passed to index.php
-		fastcgi_param SCRIPT_FILENAME	$document_root/w/index.php;
+        fastcgi_param SCRIPT_FILENAME    $document_root/w/index.php;
-		fastcgi_pass  127.0.0.1:9000;
+        fastcgi_pass php5_www-data;
-	}
+    }
+}
 </syntaxhighlight>