The purpose of this page is to merge two different configurations for Pretty URLs for MediaWiki on Nginx into the ultimate configuration. The first is my current configuration which is a combination of what comes from DebOps, and the code found on MediaWiki.org. The second is the suggested configuration from shorturls.redwerks.com The [https://github.com/wikimedia/translatewiki/blob/master/puppet/modules/nginx/files/translatewiki.net configuration file for translatewiki.net] as provided by @nikerabbit should be used as a reference in simplicity.
== The Ultimate Pretty URL configuration for MediaWiki on Nginx ==
<div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div>
<syntaxhighlight lang="php" line>
# This file is managed remotely, all changes will be lost
# nginx server configuration for:
# - https://wiki.ncigt.org/
server {
listen 80;
listen [::]:80;
server_name wiki.ncigt.org;
root /var/www/clients/wiki.ncigt.org;
include snippets/acme-challenge.conf;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs
ssl_dhparam /etc/pki/dhparam/set0;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/realms/domain/trusted.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin";
server_name wiki.ncigt.org;
root /var/www/clients/wiki.ncigt.org;
include snippets/acme-challenge.conf;
keepalive_timeout 60;
access_log /var/log/nginx/wiki.ncigt.org_access.log;
error_log /var/log/nginx/wiki.ncigt.org_error.log;
index index.html index.htm index.php;
# [...]
# setup simple way to take site down
if (-f $document_root/maintenance.html) {
return 503;
}
error_page 503 @maintenance;
location @maintenance {
rewrite ^(.*)$ /maintenance.html break;
}
# Disallow access to hidden files and directories, except `/.well-known/`
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~ /\.(?!well-known/) {
return 404;
}
location = /nginx_status { stub_status on; access_log off; allow 127.0.0.1/32; allow ::1/128; allow 67.205.190.17; allow 10.10.0.11; allow 10.136.225.163; deny all; } # [Favicon location = /favicon.ico { alias /w/images/6/64/Favicon..]ico; add_header Cache-Control "public"; expires 7d; access_log off; log_not_found off; }
# Location for the wiki's root location /w/ { if # Do this inside of a location so it can be negated location ~ \.php$ { try_files $uri $uri/ =404; # Don't let php execute non-existent php files include fastcgi.conf; #Mitigate HTTPOXY attacks (https://httpoxy.org) fastcgi_param HTTP_PROXY ""; fastcgi_pass php5_www-f $document_rootdata; } # MediaWiki assets (usually images) location ~ ^/w/resources/maintenance.html(assets|lib|src) { return 503 try_files $uri 404; add_header Cache-Control "public"; expires 7d;
}
error_page 503 @maintenance;# Assets, scripts and styles from skins and extensions location @maintenance { rewrite ~ ^/w/(skins|extensions)/.+\.*(css|js|gif|jpg|jpeg|png|svg)$ /maintenance.html break{ try_files $uri 404; add_header Cache-Control "public"; expires 7d;
}
}
# Disallow access to hidden files and directories, except `Separate location for images/so .well-knownphp execution won't apply location /w/`images { # https:location ~ ^/w/www.mnot.netimages/blogthumb/2010(archive/04)?[0-9a-f]/07/well[0-9a-f][0-9a-known # https:f]/([^/tools.ietf.org]+)/html/rfc5785 location ~ /\.(?!well[0-known/9]+) px-.*$ { return 404 # Thumbnail handler for MediaWiki # This location only matches on a thumbnail's url # If the file does not exist we use @thumb to run the thumb.php script try_files $uri $uri/ @thumb;
}
}
# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist
location @thumb {
# Do a rewrite here so that thumb.php gets the correct arguments
rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
# Run the thumb.php script
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;
fastcgi_pass php5_www-data;
}
# Deny access to deleted images folder location = /nginx_status w/images/deleted { stub_status ondeny all;} access_log off; allow 127 # Deny access to folders MediaWiki has a .0.0.1htaccess deny in location /w/32cache { deny all;} allow ::1 location /128w/languages { deny all;} allow 67.205.190.17 location /w/maintenance { deny all;} allow 10.10.0.11; allow 10.136.225.163; location /w/serialized { deny all; }
# Deny access to the installer
location /w/mw-config { deny all; }
# Handling for the article path
location /wiki {
include /etc/nginx/fastcgi_params;
# article path should always be passed to index.php
fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;
fastcgi_pass php5_www-data;
}
}
</syntaxhighlight>