Open main menu

Pretty URL/mediawiki

< Pretty URL
Revision as of 21:51, 18 November 2019 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The purpose of this page is to merge two different configurations for Pretty URLs for MediaWiki on Nginx into the ultimate configuration. The first is my current configuration which is a combination of what comes from DebOps, and the code found on MediaWiki.org. The second is the suggested configuration from shorturls.redwerks.com The configuration file for translatewiki.net as provided by @nikerabbit should be used as a reference in simplicity.


My Nginx Conf

  1 server {
  2 
  3         # [...]
  4 
  5         if (-f $document_root/maintenance.html) {
  6                 return 503;
  7         }
  8         error_page 503 @maintenance;
  9         location @maintenance {
 10                 rewrite ^(.*)$ /maintenance.html break;
 11         }
 12 
 13         # Disallow access to hidden files and directories, except `/.well-known/`
 14         # https://www.mnot.net/blog/2010/04/07/well-known
 15         # https://tools.ietf.org/html/rfc5785
 16         location ~ /\.(?!well-known/) {
 17                 return 404;
 18         }
 19 
 20         #location = /favicon.ico {
 21         #        try_files /favicon.ico =204;
 22         #        access_log off;
 23         #        log_not_found off;
 24         #}
 25 
 26         location = /nginx_status {
 27                 stub_status on;
 28                 access_log off;
 29                 allow 127.0.0.1/32;
 30                 allow ::1/128;
 31                 allow 67.205.190.17;
 32                 allow 10.10.0.11;
 33                 allow 10.136.225.163;
 34                 deny all;
 35         }
 36 
 37         location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
 38                 try_files $script_name =404;
 39 
 40                 include fastcgi.conf;
 41 
 42                 # Mitigate HTTPOXY attacks (https://httpoxy.org/)
 43                 fastcgi_param HTTP_PROXY "";
 44 
 45                 fastcgi_index index.php;
 46                 fastcgi_pass php5_www-data;
 47         }
 48 
 49         location ~ ^(?<script_name>.+\.php)(?<path_info>/.*)$ {
 50                 try_files $script_name =404;
 51 
 52                 include fastcgi_params;
 53                 fastcgi_param SCRIPT_FILENAME $document_root$script_name;
 54                 fastcgi_param PATH_INFO $path_info;
 55                 #fastcgi_param PATH_TRANSLATED $document_root$path_info;
 56 
 57                 # Mitigate HTTPOXY attacks (https://httpoxy.org/)
 58                 fastcgi_param HTTP_PROXY "";
 59 
 60                 fastcgi_index index.php;
 61                 fastcgi_pass php5_www-data;
 62         }
 63         #### All the following rules added for pretty URLs
 64         location ~ ^/w/(index|load|api|thumb|opensearch_desc)\.php$ {
 65                 include /etc/nginx/fastcgi_params;
 66                 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 67                 fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
 68         }
 69         
 70         # Images
 71         location /w/images {
 72                 # Separate location for images/ so .php execution won't apply
 73         }
 74         location /w/images/deleted {
 75                 # Deny access to deleted images folder
 76                 deny all;
 77         }
 78         # MediaWiki assets (usually images)
 79         location ~ ^/w/resources/(assets|lib|src) {
 80                 try_files $uri 404;
 81                 add_header Cache-Control "public";
 82                 expires 7d;
 83         }
 84         # Assets, scripts and styles from skins and extensions
 85         location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
 86                 try_files $uri 404;
 87                 add_header Cache-Control "public";
 88                 expires 7d;
 89         }
 90         # Favicon
 91         location = /favicon.ico {
 92                 alias /w/images/6/64/Favicon.ico;
 93                 add_header Cache-Control "public";
 94                 expires 7d;
 95                 access_log off;
 96                 log_not_found off;
 97         }
 98         
 99         ## Uncomment the following code if you wish to use the installer/updater
100         ## installer/updater
101         #location /w/mw-config/ {
102         #       # Do this inside of a location so it can be negated
103         #       location ~ \.php$ {
104         #               include /etc/nginx/fastcgi_params;
105         #               fastcgi_param SCRIPT_FILENAME $document_root/w/mw-config/$fastcgi_script_name;
106         #               fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
107         #       }
108         #}
109         
110         # Handling for the article path (pretty URLs)
111         location /wiki/ {
112                 rewrite ^/wiki(?:/(?<pagename>.*))$ /w/index.php;
113         }
114 
115         # Allow robots.txt in case you have one
116         location = /robots.txt {
117         }
118         # Explicit access to the root website, redirect to main page (adapt as needed)
119         # location = / {
120         #       return 301 /wiki/Main_Page;
121         # }
122 
123         # # Every other entry point will be disallowed.
124         # # Add specific rules for other entry points/images as needed above this
125         # location / {
126         #       return 404;
127         # }
128         #### All the above rules added for pretty URLs
129         client_max_body_size 500m;
130 }

RedWerks Short URL

from https://shorturls.redwerks.org/?url=https%3A%2F%2Fwww.slicer.org%2Fwiki%2F


 1 server {
 2 	# [...]
 3 
 4 	# Location for the wiki's root
 5 	location /w/ {
 6 		# Do this inside of a location so it can be negated
 7 		location ~ \.php$ {
 8 			try_files $uri $uri/ =404; # Don't let php execute non-existent php files
 9 			include /etc/nginx/fastcgi_params;
10 			fastcgi_pass 127.0.0.1:9000;
11 		}
12 	}
13 	
14 	location /w/images {
15 		# Separate location for images/ so .php execution won't apply
16 		
17 		location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
18 			# Thumbnail handler for MediaWiki
19 			# This location only matches on a thumbnail's url
20 			# If the file does not exist we use @thumb to run the thumb.php script
21 			try_files $uri $uri/ @thumb;
22 		}
23 	}
24 	location /w/images/deleted {
25 		# Deny access to deleted images folder
26 		deny	all;
27 	}
28 	
29 	# Deny access to folders MediaWiki has a .htaccess deny in
30 	location /w/cache       { deny all; }
31 	location /w/languages   { deny all; }
32 	location /w/maintenance { deny all; }
33 	location /w/serialized  { deny all; }
34 	
35 	# Just in case, hide .svn and .git too
36 	location ~ /.(svn|git)(/|$) { deny all; }
37 	
38 	# Hide any .htaccess files
39 	location ~ /.ht { deny all; }
40 	
41 	# Uncomment the following code if you wish to hide the installer/updater
42 	## Deny access to the installer
43 	#location /w/mw-config { deny all; }
44 	
45 	# Handling for the article path
46 	location /wiki {
47 		include /etc/nginx/fastcgi_params;
48 		# article path should always be passed to index.php
49 		fastcgi_param SCRIPT_FILENAME	$document_root/w/index.php;
50 		fastcgi_pass  127.0.0.1:9000;
51 	}
52 	
53 	# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
54 	location @thumb {
55 		# Do a rewrite here so that thumb.php gets the correct arguments
56 		rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
57 		rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
58 		
59 		# Run the thumb.php script
60 		include /etc/nginx/fastcgi_params;
61 		fastcgi_param SCRIPT_FILENAME	$document_root/w/thumb.php;
62 		fastcgi_pass  127.0.0.1:9000;
63 	}
64 	
65 	# [...]
66 }

The Ultimate Pretty URL configuration for MediaWiki on Nginx

Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)
  1 # This file is managed remotely, all changes will be lost
  2 
  3 # nginx server configuration for:
  4 #    - https://wiki.ncigt.org/
  5 
  6 server {
  7     listen 80;
  8     listen [::]:80;
  9     server_name wiki.ncigt.org;
 10     root /var/www/clients/wiki.ncigt.org;
 11     include snippets/acme-challenge.conf;
 12     location / {
 13             return 301 https://$host$request_uri;
 14     }
 15 }
 16 
 17 server {
 18     listen 443 ssl;
 19     listen [::]:443 ssl http2;
 20 
 21     ssl_certificate           /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;
 22     ssl_certificate_key       /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;
 23     ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
 24     ssl_prefer_server_ciphers on;
 25     ssl_ciphers               "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs
 26     ssl_dhparam               /etc/pki/dhparam/set0;
 27     ssl_ecdh_curve            secp384r1;
 28     ssl_stapling              on;
 29     ssl_stapling_verify       on;
 30     ssl_trusted_certificate   /etc/pki/realms/domain/trusted.crt;
 31     resolver                  8.8.8.8 8.8.4.4 valid=300s;
 32     resolver_timeout          5s;
 33     add_header                Strict-Transport-Security "max-age=15768000; includeSubDomains";
 34     add_header                X-Content-Type-Options "nosniff" always;
 35     add_header                X-Frame-Options "SAMEORIGIN" always;
 36     add_header                X-XSS-Protection "1; mode=block";
 37     add_header                Referrer-Policy "same-origin";
 38 
 39     server_name wiki.ncigt.org;
 40 
 41     root /var/www/clients/wiki.ncigt.org;
 42 
 43     include snippets/acme-challenge.conf;
 44 
 45     keepalive_timeout 60;
 46 
 47     access_log /var/log/nginx/wiki.ncigt.org_access.log;
 48     error_log /var/log/nginx/wiki.ncigt.org_error.log;
 49     index index.html index.htm index.php;
 50 
 51     # [...]
 52 
 53     # setup simple way to take site down
 54     if (-f $document_root/maintenance.html) {
 55         return 503;
 56     }
 57     error_page 503 @maintenance;
 58     location @maintenance {
 59         rewrite ^(.*)$ /maintenance.html break;
 60     }
 61 
 62     # Disallow access to hidden files and directories, except `/.well-known/`
 63     # https://www.mnot.net/blog/2010/04/07/well-known
 64     # https://tools.ietf.org/html/rfc5785
 65     location ~ /\.(?!well-known/) {
 66         return 404;
 67     }
 68 
 69     location = /nginx_status {
 70         stub_status on;
 71         access_log off;
 72         allow 127.0.0.1/32;
 73         allow ::1/128;
 74         allow 67.205.190.17;
 75         allow 10.10.0.11;
 76         allow 10.136.225.163;
 77         deny all;
 78     }
 79     # Favicon
 80     location = /favicon.ico {
 81         alias /w/images/6/64/Favicon.ico;
 82         add_header Cache-Control "public";
 83         expires 7d;
 84         access_log off;
 85         log_not_found off;
 86     }
 87 
 88     # Location for the wiki's root
 89     location /w/ {
 90         # Do this inside of a location so it can be negated
 91         location ~ \.php$ {
 92             try_files $uri $uri/ =404; # Don't let php execute non-existent php files
 93             include fastcgi.conf;
 94             #Mitigate HTTPOXY attacks (https://httpoxy.org)
 95             fastcgi_param HTTP_PROXY "";
 96             fastcgi_pass php5_www-data;
 97         }
 98         # MediaWiki assets (usually images)
 99         location ~ ^/w/resources/(assets|lib|src) {
100             try_files $uri 404;
101             add_header Cache-Control "public";
102             expires 7d;
103         }
104         # Assets, scripts and styles from skins and extensions
105         location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {
106             try_files $uri 404;
107             add_header Cache-Control "public";
108             expires 7d;
109         }
110     }
111 
112     # Separate location for images/ so .php execution won't apply
113     location /w/images {
114         
115         location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
116             # Thumbnail handler for MediaWiki
117             # This location only matches on a thumbnail's url
118             # If the file does not exist we use @thumb to run the thumb.php script
119             try_files $uri $uri/ @thumb;
120         }
121     }
122     # Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
123     location @thumb {
124         # Do a rewrite here so that thumb.php gets the correct arguments
125         rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
126         rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
127         
128         # Run the thumb.php script
129         include /etc/nginx/fastcgi_params;
130         fastcgi_param SCRIPT_FILENAME    $document_root/w/thumb.php;
131         fastcgi_pass php5_www-data;
132     }
133 
134     # Deny access to deleted images folder
135     location /w/images/deleted { deny    all; }
136     
137     # Deny access to folders MediaWiki has a .htaccess deny in
138     location /w/cache       { deny all; }
139     location /w/languages   { deny all; }
140     location /w/maintenance { deny all; }
141     location /w/serialized  { deny all; }
142 
143     # Deny access to the installer
144     location /w/mw-config { deny all; }
145 
146     # Handling for the article path
147     location /wiki {
148         include /etc/nginx/fastcgi_params;
149         # article path should always be passed to index.php
150         fastcgi_param SCRIPT_FILENAME    $document_root/w/index.php;
151         fastcgi_pass php5_www-data;
152     }
153 }