Monday, January 09, 2012

NGINX With MediaWiki Over SSL

Some of this was inspired by the Ars Technica article here:  <http://arstechnica.com/business/news/2011/11/a-faster-web-server-ripping-out-apache-for-nginx.ars>.

Fire up a Fedora 16 instance on Amazon EC2 --I've been using 'ami-88f37eb8' as the beginning of all my images lately-- and log in via SSH.  Install necessary packages using yum (there may be more than I've listed here):

> yum install -y nginx
> yum install -y mysql mysql-server mysql-libs
> yum install -y php php-mysql
> yum install -y mediawiki

Follow this other wonderful article on how to get free SSL certs[Ars Technica].  Install your new certs into /etc/nginx/certs/.

Create a symlink to the wiki directory:

> ln -s /usr/share/nginx/html/wiki/ /var/www/wiki/

Edit the following files to match these outputs (adjusting for your own installation, of course):


> cat /etc/nginx/conf.d/default.conf
server {
    listen       80;
    rewrite ^(.*) https://$host$1 permanent;
}

> cat /etc/nginx/conf.d/ssl.conf
server {
  listen 443;
  server_name domain.com;


  ssl on;
  ssl_certificate certs/domain_com-class1.cert;
  ssl_certificate_key certs/domain_com-private.key;
  ssl_session_timeout 5m;
  ssl_protocols SSLv2 SSLv3 TLSv1;
  ssl_ciphers ALL:!kEDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers on;


  gzip on;
  gzip_static on;
  gzip_min_length 512;
  gzip_http_version 1.1;
  gzip_vary on;
  gzip_comp_level 6;
  gzip_proxied expired no-cache no-store private auth;
  gzip_types text/plain text/html text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript
  gzip_buffers 16 8k;
  gzip_disable MSIE [1-6].(?!.*SV1);


  location / {
    root html;
    index index.html;
    try_files $uri $uri/index.html @wiki;
  }


  location @wiki {
    rewrite ^/wiki/index.php/(.*)$ /wiki/$1 permanent;
    rewrite ^/wiki/(.*)$ /wiki/index.php?title=$1&$args;
  }


  location ~ \.php$ {
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME  /usr/share/nginx/html$fastcgi_script_name;
    fastcgi_param HTTPS on;
    include fastcgi_params;
  }


  error_page 404 /404.html;
  location = /404.html {
    root html;
  }


  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root html;
  }
}


Go through the motions on setting up MediaWiki with the MySQL database through the web interface at https://domain.com/wiki/.

Add this to the end of /var/www/wiki/LocalSettings.php:

### PRIVATE WIKI SETTINGS ###
# Disable anonymous reading/editing
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;


# Allow logins
$wgWhitelistRead = array ("Special:Userlogin",
    "MediaWiki:Common.css",
    "MediaWiki:Common.js",
    "MediaWiki:Monobook.css",
    "MediaWiki:Monobook.js",
    "-");


# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;


### NGINX SETTINGS ###
$wgUsePathInfo = true;


Posted by Dane at 12:52

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)