Difference between revisions of "MediaWiki Debian Installation"

From HPWWiki
Jump to navigation Jump to search
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
  +
=== My Experience Installing MediaWiki 1.31 on Debian Bullseye (Buster) ===
 
  +
<seo title="MediaWiki Debian Installation" metak="Buster,Bullseye,Url,Firewall,SSL,letsencryt" metad="Challenges installing Mediawiki on Debian" google-site-verification="google00ccddbcda3bce82.html" />
This page will be under construction for some while (started 2020-2-14).
 
  +
 
== My Experience Installing MediaWiki 1.31 on Debian/GNU Linux Bullseye (Buster) ==
  +
February 2020
   
 
These are no complete installation instructions, but a description of some of the challenges and the possible solutions to set up mediawiki with the following goals:
 
These are no complete installation instructions, but a description of some of the challenges and the possible solutions to set up mediawiki with the following goals:
 
# As secure as possible, inclusive forward security,
 
# As secure as possible, inclusive forward security,
 
# Short URLs and VisualEditor + Math extension.
 
# Short URLs and VisualEditor + Math extension.
The server is separate, i.e. not on my home workstation, and plugged to the router. It's a fanless small machine, consuming between 5 and 15 Watts according to the product description. (Not being paid for advertising, I can recommend it at any time: [https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ fitlet2]. See also the description at [https://www.phoronix.com/scan.php?page=article&item=compulab-fitlet-2&num=1 Phoronix].)
+
My server is separate, i.e. not on my home workstation, and plugged to the router. It's a fanless small machine, consuming between 5 and 15 Watts according to the product description. (Not being paid for advertising, I can recommend it at any time: [https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ fitlet2]. See also the description at [https://www.phoronix.com/scan.php?page=article&item=compulab-fitlet-2&num=1 Phoronix].)
   
 
I am neither following a logical nor chronological path, but rather choose the various issues from the end with the solutions found. As I have full access to all parts of my network, ssh access is possible. To easily download extensions to the target server from the mediawiki site, I access the target server with<syntaxhighlight lang="shell-session">
 
I am neither following a logical nor chronological path, but rather choose the various issues from the end with the solutions found. As I have full access to all parts of my network, ssh access is possible. To easily download extensions to the target server from the mediawiki site, I access the target server with<syntaxhighlight lang="shell-session">
Line 13: Line 16:
 
</syntaxhighlight>
 
</syntaxhighlight>
   
==== Firewall ====
+
=== Firewall ===
Between my homemachine or an outside visitor and the targetserver is the firewall, built into my router. So I have to allow port sharing of my target server. Debian's default for ssh is port 22. (For further serving http, https and parsoid and mathoid extensions I also allowed ports 80, 443, 8143 and 10043 each for IPv4 and IPv6 to be shared.)
+
Between my homemachine or an outside visitor and the targetserver is the firewall, built into my router. So I have to allow port sharing with my target server. Debian's default for ssh is port 22. (For further serving http, https and parsoid and mathoid extensions I also allowed ports 80, 443, 8143 and 10043 each for IPv4 and IPv6 to be shared.)
   
==== Debian on targetserver ====
+
=== Debian on targetserver ===
 
[https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ fitlet2] comes with LinuxMint preinstalled, but I prefer Debian. The choice of a desktop environment and an Internet server on the targetserver allow remote browsing via ssh. [https://wiki.debian.org/WebServers Debian recommends]<syntaxhighlight lang="shell">
 
[https://fit-iot.com/web/products/fitlet2/fitlet2-specifications/ fitlet2] comes with LinuxMint preinstalled, but I prefer Debian. The choice of a desktop environment and an Internet server on the targetserver allow remote browsing via ssh. [https://wiki.debian.org/WebServers Debian recommends]<syntaxhighlight lang="shell">
 
sudo tasksel
 
sudo tasksel
Line 25: Line 28:
 
</syntaxhighlight>installs, as I recall, all that is needed to run mediawiki on localhost.
 
</syntaxhighlight>installs, as I recall, all that is needed to run mediawiki on localhost.
   
==== Short URLs ====
+
=== Short URLs ===
 
Short story: place two aliases into the apache2 conf-file that defines the mediawiki host and define the $wgArticlePath:<syntaxhighlight lang="text">
 
Short story: place two aliases into the apache2 conf-file that defines the mediawiki host and define the $wgArticlePath:<syntaxhighlight lang="text">
 
/etc/apache2/conf-enabled/mediawiki.conf:
 
/etc/apache2/conf-enabled/mediawiki.conf:
Line 35: Line 38:
   
 
$wgArticlePath = '/wiki/$1';
 
$wgArticlePath = '/wiki/$1';
</syntaxhighlight>Longer story: to get this right one has to know or guess how apache2 loads its modules, if there is cumulation, overwriting, sequencing etc. and how Debian handles this. As I played too long with the configuration files, I can't tell anymore what the original state was. I suppose that /etc/mediawiki/mediawiki.conf was a link to /etc/apache2/conf-enabled/mediawiki.conf and that the above aliases could have been added there.
+
</syntaxhighlight>Longer story: to get this right one has to know or guess how apache2 loads its modules, whether there is cumulation or overriding and in what order apache2 loads the modules etc. And also what the Debian defaults are. As I played too long with the configuration files, I can't tell anymore what the original state was. I suppose that /etc/mediawiki/mediawiki.conf was a link to /etc/apache2/conf-enabled/mediawiki.conf and that the above aliases could have been added there.
   
SSL Virtual Default Host
+
=== SSL Virtual Default Host ===
  +
I used [https://letsencrypt.org/getting-started/ Let's Encrypt], respectively [https://certbot.eff.org/instructions Certbot], to get a certifcate for my site and had certbot change my configuration files in /etc/apache2.
  +
  +
(April 2020: see installation instructions for [https://certbot.eff.org/lets-encrypt/debiantesting-apache.html Debian testing].)
  +
  +
Testing with testssl showed vulnerabilities, i.e. TLSv1 and TLSv1.1 as accepted protocols.<syntaxhighlight lang="shell">
  +
sudo apt install certbot python3-certbot-apache testssl.sh
  +
  +
testssl www.example.com
  +
</syntaxhighlight>certbot changed the default virtual host file:<syntaxhighlight lang="shell-session">
  +
serveruser@targetserver:/etc/apache2/sites-enabled$ sudo nano 000-default-le-ssl.conf
  +
</syntaxhighlight><syntaxhighlight lang="text">
  +
<IfModule mod_ssl.c>
  +
<VirtualHost *:443>
  +
  +
# The ServerName directive sets the request scheme, hostname and port that
  +
# the server uses to identify itself. This is used when creating
  +
# redirection URLs. In the context of virtual hosts, the ServerName
  +
# specifies what hostname must appear in the request's Host: header to
  +
# match this virtual host. For the default virtual host (this file) this
  +
# value is not decisive as it is used as a last resort host regardless.
  +
# However, you must set it for any further virtual host explicitly.
  +
ServerName www.example.com
  +
  +
# ServerAlias
  +
ServerAlias example.com *.example.com
  +
  +
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  +
  +
ServerAdmin admin@localhost
  +
  +
DocumentRoot /var/www/html
  +
  +
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
  +
# error, crit, alert, emerg.
  +
# It is also possible to configure the loglevel for particular
  +
# modules, e.g.
  +
#LogLevel info ssl:warn
  +
  +
ErrorLog ${APACHE_LOG_DIR}/error.log
  +
CustomLog ${APACHE_LOG_DIR}/access.log combined
  +
  +
# For most configuration files from conf-available/, which are
  +
# enabled or disabled at a global level, it is possible to
  +
# include a line for only one particular virtual host. For example the
  +
# following line enables the CGI configuration for this host only
  +
# after it has been globally disabled with "a2disconf".
  +
#Include conf-available/serve-cgi-bin.conf
  +
  +
SSLCertificateFile /etc/letsencrypt/live/www.example.com-0001/fullchain.pem
  +
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com-0001/privkey.pem
  +
Include /etc/letsencrypt/options-ssl-apache.conf
  +
  +
</VirtualHost>
  +
</IfModule>
  +
  +
  +
</syntaxhighlight>To be noted is the line: 'Include /etc/letsencrypt/options-ssl-apache.conf'. The protocols not to be offered are to be indicated there:<syntaxhighlight lang="text">
  +
SSLEngine on
  +
  +
# Intermediate configuration, tweak to your needs
  +
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  +
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:...
  +
  +
SSLOptions +StrictRequire
  +
</syntaxhighlight>testssl www.example.com now runs flawlessly, warning only about two or three cyphers that should not be offered.
  +
  +
=== Math extension, including Parsoid and Mathoid ===
  +
I added the Extension:Math in the beginning of February 2020. Additionally, I added Parsoid and Mathoid, not being really sure whether this was needed. In any case, on the Parsoid site it is stated:<blockquote>Parsoid (the PHP version) is planned to come natively bundled with MediaWiki by June 2020. At that time, the setup instructions on this page will be updated. Until then, for non-Wikimedia installations, Parsoid/JS is the supported version of Parsoid. </blockquote>Parsoid and Mathoid are now services on my host. To access them via ports 8143 and 10043, respectively, I installed stunnel4<syntaxhighlight lang="shell">
  +
sudo apt install stunnel4
  +
</syntaxhighlight>with the conf-file:<syntaxhighlight lang="text">
  +
/etc/stunnel/parsoid-mathoid.conf:
  +
  +
cert = /etc/letsencrypt/live/www.example.com/fullchain.pem
  +
key = /etc/letsencrypt/live/www.example.com/privkey.pem
  +
  +
[parsoid]
  +
accept = :::8143
  +
connect = :::8142
  +
  +
[mathoid]
  +
accept = :::10043
  +
connect = :::10042
  +
  +
</syntaxhighlight>

Latest revision as of 16:21, 17 April 2020

My Experience Installing MediaWiki 1.31 on Debian/GNU Linux Bullseye (Buster)[edit | edit source]

February 2020

These are no complete installation instructions, but a description of some of the challenges and the possible solutions to set up mediawiki with the following goals:

  1. As secure as possible, inclusive forward security,
  2. Short URLs and VisualEditor + Math extension.

My server is separate, i.e. not on my home workstation, and plugged to the router. It's a fanless small machine, consuming between 5 and 15 Watts according to the product description. (Not being paid for advertising, I can recommend it at any time: fitlet2. See also the description at Phoronix.)

I am neither following a logical nor chronological path, but rather choose the various issues from the end with the solutions found. As I have full access to all parts of my network, ssh access is possible. To easily download extensions to the target server from the mediawiki site, I access the target server with

homeuser@homemachine:~$ ssh -Y serveruser@targetserver

and then start firefox on the targetserver

serveruser@targetserver:~$ firefox&

Firewall[edit | edit source]

Between my homemachine or an outside visitor and the targetserver is the firewall, built into my router. So I have to allow port sharing with my target server. Debian's default for ssh is port 22. (For further serving http, https and parsoid and mathoid extensions I also allowed ports 80, 443, 8143 and 10043 each for IPv4 and IPv6 to be shared.)

Debian on targetserver[edit | edit source]

fitlet2 comes with LinuxMint preinstalled, but I prefer Debian. The choice of a desktop environment and an Internet server on the targetserver allow remote browsing via ssh. Debian recommends

sudo tasksel

and then select Debian desktop environment (plus the choice of desktop) and web server. This installs apache2 and whatever else it needs as the default Web Server.

sudo apt update 
sudo apt full-upgrade 
sudo apt install mediawiki

installs, as I recall, all that is needed to run mediawiki on localhost.

Short URLs[edit | edit source]

Short story: place two aliases into the apache2 conf-file that defines the mediawiki host and define the $wgArticlePath:

/etc/apache2/conf-enabled/mediawiki.conf:

Alias /mediawiki /var/lib/mediawiki
Alias /wiki /var/lib/mediawiki/index.php

/etc/mediawiki/Localhost.php:

$wgArticlePath = '/wiki/$1';

Longer story: to get this right one has to know or guess how apache2 loads its modules, whether there is cumulation or overriding and in what order apache2 loads the modules etc. And also what the Debian defaults are. As I played too long with the configuration files, I can't tell anymore what the original state was. I suppose that /etc/mediawiki/mediawiki.conf was a link to /etc/apache2/conf-enabled/mediawiki.conf and that the above aliases could have been added there.

SSL Virtual Default Host[edit | edit source]

I used Let's Encrypt, respectively Certbot, to get a certifcate for my site and had certbot change my configuration files in /etc/apache2.

(April 2020: see installation instructions for Debian testing.)

Testing with testssl showed vulnerabilities, i.e. TLSv1 and TLSv1.1 as accepted protocols.

sudo apt install certbot python3-certbot-apache testssl.sh

testssl www.example.com

certbot changed the default virtual host file:

serveruser@targetserver:/etc/apache2/sites-enabled$ sudo nano 000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>

        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName www.example.com

        # ServerAlias
        ServerAlias example.com *.example.com

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        ServerAdmin admin@localhost
        
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        SSLCertificateFile /etc/letsencrypt/live/www.example.com-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com-0001/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

To be noted is the line: 'Include /etc/letsencrypt/options-ssl-apache.conf'. The protocols not to be offered are to be indicated there:

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:...

SSLOptions +StrictRequire

testssl www.example.com now runs flawlessly, warning only about two or three cyphers that should not be offered.

Math extension, including Parsoid and Mathoid[edit | edit source]

I added the Extension:Math in the beginning of February 2020. Additionally, I added Parsoid and Mathoid, not being really sure whether this was needed. In any case, on the Parsoid site it is stated:

Parsoid (the PHP version) is planned to come natively bundled with MediaWiki by June 2020. At that time, the setup instructions on this page will be updated. Until then, for non-Wikimedia installations, Parsoid/JS is the supported version of Parsoid.

Parsoid and Mathoid are now services on my host. To access them via ports 8143 and 10043, respectively, I installed stunnel4

sudo apt install stunnel4

with the conf-file:

/etc/stunnel/parsoid-mathoid.conf:

cert = /etc/letsencrypt/live/www.example.com/fullchain.pem
key = /etc/letsencrypt/live/www.example.com/privkey.pem

[parsoid]
accept  = :::8143
connect = :::8142

[mathoid]
accept  = :::10043
connect = :::10042