Mediawiki/Force SSL

From r00tedvw.com wiki
Jump to: navigation, search

Contents

Overview

All instructions done on Oracle Linux 6.5
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache

install mod ssl

~$ sudo yum install mod_ssl

If you cannot find the package, update your cache and search

~$ sudo yum check-update
~$ sudo yum search ssl
...
=============================== N/S Matched: ssl ===============================
...
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server

apache config

comment out the following from /etc/httpd/conf/httpd.conf

#NameVirtualHost *:443
#Listen 443

Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf

#SNI config - tells apache to use named virtual hosts on the secure port
NameVirtualHost *:443

Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented)

Listen 443

create key,csr, and self-signed crt

http://www.akadia.com/services/ssh_test_certificate.html

create directories

since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is:

/etc/ssl/certs/
create key
~$ openssl genrsa -des3 -out server.key 2048
generate csr
~$ openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
backup & remove passphrase from key

unless the passphrase is removed, apache will ask for the passphrase whenever it is started.

~$ cp server.key server.key.org
~$ openssl rsa -in server.key.org -out server.key
generate self-signed cert
~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key
add ssl to virtual host

add the following to your virtual host config

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

edit mediawiki LocalSettings.php

http://www.mediawiki.org/wiki/Manual:$wgServer
Now lets go to LocalSettings.php and edit the site file:

~$ sudo vi /var/www/html/servername/mediawiki-1.22.6/
## The protocol and server name to use in fully-qualified URLs
$wgServer = "//servername.com";

## Adding $wgCanonicalServer for locations that don't support protocol relative urls (default if it cannot understand "//servername.com"
$wgCanonicalServer = "https://servername.com";

configure the https redirect

there are (2) ways to do this, one through the virtualhost config (recommended), or one by using mod_rewrite
https://wiki.apache.org/httpd/RedirectSSL
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

mod_rewrite

This way worked best for me with multiple instances of mediawiki hosted from the same server on same ip, but as sub sites rather than sub domains.
open /etc/httpd/conf/httpd.conf and go to line 341 (in my version). Change AllowOverride from None to All

~$ sudo vi /etc/httpd/conf/httpd.conf
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride All

virtual host file

<VirtualHost *:80>
        ServerName http://wiki.r00tedvw.com
        Redirect permanent / https://wiki.r00tedvw.com
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName https://wiki.r00tedvw.com
        DocumentRoot /var/www/mediawiki
        ErrorLog /var/log/apache2/mediawiki-error.log
        CustomLog /var/log/apache2/mediawiki-access.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/cert/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox