Mediawiki/Force SSL

Overview

All instructions done on Oracle Linux 6.5
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache

install mod ssl

~$ sudo yum install mod_ssl

If you cannot find the package, update your cache and search

~$ sudo yum check-update
~$ sudo yum search ssl
...
=============================== N/S Matched: ssl ===============================
...
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server

apache config

comment out the following from /etc/httpd/conf/httpd.conf

#NameVirtualHost *:443
#Listen 443

Add new NameVirtualHost to /etc/httpd/conf.d/ssl.conf

#SNI config - tells apache to use named virtual hosts on the secure port
NameVirtualHost *:443

Verify that /etc/httpd/conf.d/ssl.conf has the following in it (uncommented)

Listen 443

create key,csr, and self-signed crt

http://www.akadia.com/services/ssh_test_certificate.html

create directories

since you have multiple sites hosted from the same box, its best to organize them into directories. The default location for certs on most linux apache installations with mod_ssl is:

/etc/ssl/certs/

create key

~$ openssl genrsa -des3 -out server.key 2048

generate csr

~$ openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

backup & remove passphrase from key

unless the passphrase is removed, apache will ask for the passphrase whenever it is started.

~$ cp server.key server.key.org
~$ openssl rsa -in server.key.org -out server.key

generate self-signed cert

~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

add ssl to virtual host

add the following to your virtual host config

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

edit mediawiki LocalSettings.php

http://www.mediawiki.org/wiki/Manual:$wgServer
Now lets go to LocalSettings.php and edit the site file:

~$ sudo vi /var/www/html/servername/mediawiki-1.22.6/
## The protocol and server name to use in fully-qualified URLs
$wgServer = "//servername.com";

## Adding $wgCanonicalServer for locations that don't support protocol relative urls (default if it cannot understand "//servername.com"
$wgCanonicalServer = "https://servername.com";

configure the https redirect

there are (2) ways to do this, one through the virtualhost config (recommended), or one by using mod_rewrite
https://wiki.apache.org/httpd/RedirectSSL
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

mod_rewrite

This way worked best for me with multiple instances of mediawiki hosted from the same server on same ip, but as sub sites rather than sub domains.
open /etc/httpd/conf/httpd.conf and go to line 341 (in my version). Change AllowOverride from None to All

~$ sudo vi /etc/httpd/conf/httpd.conf
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride All

virtual host file

<VirtualHost *:80>
        ServerName http://wiki.r00tedvw.com
        Redirect permanent / https://wiki.r00tedvw.com
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName https://wiki.r00tedvw.com
        DocumentRoot /var/www/mediawiki
        ErrorLog /var/log/apache2/mediawiki-error.log
        CustomLog /var/log/apache2/mediawiki-access.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/cert/server.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Mediawiki/Force SSL

Contents

Overview

install mod ssl

apache config

create key,csr, and self-signed crt

create directories

create key

generate csr

backup & remove passphrase from key

generate self-signed cert

add ssl to virtual host

edit mediawiki LocalSettings.php

configure the https redirect

mod_rewrite

virtual host file

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Mediawiki

Confluence

DevOps Tools

Ubuntu

Ubuntu 22

Mac OSX

Oracle Linux

AWS

Windows

OpenVPN

Grafana

InfluxDB2

TrueNas

OwnCloud

Pivotal

osTicket

OTRS

phpBB

WordPress

VmWare ESXI 5.1

Crypto currencies

HTML

CSS

Python

Java Script

PHP

Raspberry Pi

Canvas LMS

Kaltura Media Server

Plex Media Server

MetaSploit

Zoneminder

ShinobiCE

Photoshop CS2

Fortinet

Uploaded

Certifications

General Info

Games

Meal Plans

NC Statutes

2020 Election

Volkswagen

Covid

NCDMV

Toolbox