Changes

Pretty URL/mediawiki (view source)

Revision as of 09:44, 15 November 2019

2,201 bytes added , 09:44, 15 November 2019

→‎The Ultimate Pretty URL configuration for MediaWiki on Nginx

== The Ultimate Pretty URL configuration for MediaWiki on Nginx ==

<div style="color:red;background-color:yellow;">Warning, this config is a work in progress and has KNOWN deficiencies (e.g. thumbnails not working)</div>

# This file is managed remotely, all changes will be lost

# nginx server configuration for:

# - https://wiki.ncigt.org/

server {

listen 80;

listen [::]:80;

server_name wiki.ncigt.org;

root /var/www/clients/wiki.ncigt.org;

include snippets/acme-challenge.conf;

location / {

return 301 https://$host$request_uri;

}

server {

listen 443 ssl;

listen [::]:443 ssl http2;

ssl_certificate /etc/letsencrypt/live/labs.qualitybox.us/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/labs.qualitybox.us/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH"; # TLS cipher suites set: bettercrypto_org__set_b_pfs

ssl_dhparam /etc/pki/dhparam/set0;

ssl_ecdh_curve secp384r1;

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/pki/realms/domain/trusted.crt;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

add_header X-Content-Type-Options "nosniff" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-XSS-Protection "1; mode=block";

add_header Referrer-Policy "same-origin";

server_name wiki.ncigt.org;

root /var/www/clients/wiki.ncigt.org;

include snippets/acme-challenge.conf;

keepalive_timeout 60;

access_log /var/log/nginx/wiki.ncigt.org_access.log;

error_log /var/log/nginx/wiki.ncigt.org_error.log;

index index.html index.htm index.php;

# [...]

# setup simple way to take site down

if (-f $document_root/maintenance.html) {

return 503;

}

error_page 503 @maintenance;

location @maintenance {

rewrite ^(.*)$ /maintenance.html break;

}

# https://tools.ietf.org/html/rfc5785

location ~ /\.(?!well-known/) {

return 404;

}

location = /nginx_status {

stub_status on; access_log off; allow 127.0.0.1/32; allow ::1/128; allow 67.205.190.17; allow 10.10.0.11; allow 10.136.225.163; deny all;

}

# Favicon

location = /favicon.ico {

alias /w/images/6/64/Favicon.ico; add_header Cache-Control "public"; expires 7d; access_log off; log_not_found off;

}

# Location for the wiki's root location /w/ { # Do this inside of a location so it can be negated location ~ \.php$ { try_files $uri $uri/ =404; # Don't let php execute non-existent php files include fastcgi.conf; #Mitigate HTTPOXY attacks (https://httpoxy.org) fastcgi_param HTTP_PROXY ""; fastcgi_pass ~~127.0.0.1:9000~~php5_www-data; }

# MediaWiki assets (usually images)

location ~ ^/w/resources/(assets|lib|src) {

try_files $uri 404; add_header Cache-Control "public"; expires 7d;

}

# Assets, scripts and styles from skins and extensions

location ~ ^/w/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg)$ {

try_files $uri 404; add_header Cache-Control "public"; expires 7d;

}

# Separate location for images/ so .php execution won't apply location /w/images { location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ { # Thumbnail handler for MediaWiki # This location only matches on a thumbnail's url # If the file does not exist we use @thumb to run the thumb.php script try_files $uri $uri/ @thumb; } }

# Thumbnail 404 handler, only called by try_files when a thumbnail does not exist

location @thumb { # Do a rewrite here so that thumb.php gets the correct arguments rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2; rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1; # Run the thumb.php script include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php; fastcgi_pass ~~127.0.0.1:9000~~php5_www-data; }

# Deny access to deleted images folder location /w/images/deleted { deny all; } # Deny access to folders MediaWiki has a .htaccess deny in location /w/cache { deny all; } location /w/languages { deny all; } location /w/maintenance { deny all; } location /w/serialized { deny all; }

# Deny access to the installer

location /w/mw-config { deny all; }

# Handling for the article path

location /wiki { include /etc/nginx/fastcgi_params; # article path should always be passed to index.php fastcgi_param SCRIPT_FILENAME $document_root/w/index.php; fastcgi_pass ~~127.0.0.1:9000~~php5_www-data; }}

</syntaxhighlight>

Admin

Image-reviewer, Bureaucrats, Check users, confirmed, Interface administrators, Administrators (Semantic MediaWiki), Curators (Semantic MediaWiki), Editors (Semantic MediaWiki), staff, Suppressors, sysadmin, Administrators, uploadaccess, Upload Wizard campaign editors, Widget editors

1,503

edits