Table of contents
Modify your LocalSettings.php
Make sure your LocalSettings.php files contains the following:
$wgDreamServer = "http://localhost:8081"; $wgDekiApi = "deki";
Note: If you've moved your DekiHost to a different server or port, you'll need to modify the $wgDreamServer key in localsettings as well as your Apache mod_proxy ProxyPass and ProxyPassReverse.
Install existing SSL certificate
If you already have an SSL certificate do the following:
mkdir /etc/apache2/ssl
Copy the file containing your PEM encoded private key and cert file:
cp mycert.pem /etc/apache2/ssl/apache2.pem
Create a self-signed certificate
If you don't already have an SSL certificate, do the following to generate a self-signed cert:
mkdir /etc/apache2/ssl apt-get install ssl-cert make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache2.pem
If you don't want to install the ssl-cert package you can manually create the file like this:
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache2.pem -keyout /etc/apache2/ssl/apache2.pem
Configure Apache
Add "Listen 443" to /etc/apache2/ports.conf
Edit your /etc/apache2/sites-available/deki file and make sure it looks like this:
(NB, the right file might be /etc/apache2/sites-available/dekiwiki for later versions)
<VirtualHost *:443>
ServerName deki-hayes
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache2.pem
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log common
DocumentRoot "/var/www/deki-hayes"
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^/$ /index.php?title= [L,NE]
RewriteCond %{REQUEST_URI} !/(@api|editor|skins|config)/
RewriteCond %{REQUEST_URI} !/(redirect|texvc|index|Version).php
RewriteCond %{REQUEST_URI} !/error/(40(1|3|4)|500).html
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteCond %{QUERY_STRING} ^$ [OR] %{REQUEST_URI} ^/Special:Search
RewriteRule ^/(.*)$ /index.php?title=$1 [L,QSA,NE]
# deki-api uses encoded slashes in query parameters so AllowEncodedSlashes must be On
AllowEncodedSlashes On
# mod_proxy rules
ProxyPass /@api http://localhost:8081 retry=1
ProxyPassReverse /@api http://localhost:8081
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
Enable the apache ssl module
a2enmod ssl
Restart apache
/etc/init.d/apache2 restart
Mixed Mode
If you want to enable both unsecured & secure communications make sure you have the following in your apache config
NameVirtualHost *:443 NameVirtualHost *:80
Then duplicate your vhost section making sure to include the SSL directive for the SSL enabled section. Each section should be defined with the port to access it with. Here is the snippet for each section's VirtualHost directive.
<VirtualHost *:80>
# snip
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache2.pem
# snip
</VirtualHost>
Authenticating apache2 against the Wiki
Extracted from here by the author.
It may be desirable to authenticate the SSL sessions against the wiki's internal user database. There are lots of tools to authenticate against SQL servers, but none of them work with MindTouch because the wiki does not store it's password in any conventional way. Normal Apache2 auth mechanisms expects the passwords to be stored as a simple hash but deki is more cunning:
crypt_pass = md5( user_id & "-" & md5( clear_password ) )
The best tool to handle custom authentication mechanisms appears to be mod_authnz_external, far as this application is concerned it seems to work well. After enabling the mod in Apache (see documentation for the module), all that is needed is to add the following to the <VirtualHost *:443> section:
AddExternalAuth dekisql-auth /usr/sbin/dekisql-auth.pl SetExternalAuthMethod dekisql-auth pipe <Location /> SSLRequireSSL AuthType Basic AuthName "Deki - Restricted" AuthBasicProvider external AuthExternal dekisql-auth require valid-user </Location>
Then finally there is the script, all it happens to be is the SQL script supplied with the external authnz module with some changes:
my $dbq = $dbh->prepare("select user_name as username, user_password as password, user_id as userid from users where user_name like \'$user\' and user_active=1;");
and under the "accepted" conditional statement change it to the following from the simple comparison that was there before:
if ($row->{password} eq md5_hex($row->{userid} . '-' . md5_hex($pass))) {
Optionally, to aid diagnostics, also add a line to the "else" after the accepted message to show what happened if the password was rejected:
print STDERR $row->{userid} . " - " . md5_hex($row->{userid} . '-' . md5_hex($pass)) . "\n";- Tag page (Edit tags)
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
this code is added to /etc/apache2/sites-available/deki
<VirtualHost *:80>
ServerName localhost
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} HTTP
RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
AllowEncodedSlashes On
ProxyPass /@api http://localhost:8081 retry=1
ProxyPassReverse /@api http://localhost:8081
</VirtualHost>
Is their a more direct methiod some one could point me toward to address this.
1. The Apache2 config is here /etc/apache2/sites-available/dekiwiki (instead of [...]/deki)
2. I also needed to update the Proxy rules ...
ProxyPass /@api http://localhost:8081 retry=1
ProxyPassReverse /@api http://localhost:8081
to
ProxyPass /@api https://localhost:8081 retry=1
ProxyPassReverse /@api https://localhost:8081
... quite obvious when you think about it ;-)
1. # cd /etc/pki/tls/certs
2. # mkdir deki
3. # cd deki
4. # openssl req -new -x509 -days 365 -node -out ./dekiwiki.pem -keyout ./dekiwiki.pem
5. # cd /etc/httpd/conf.d
6. # vi deki-apache.conf
Duplicate block so you would have one for 80 and the second below it will be 443.
</VirtualHost *>
</VirutalHost>
Update this file so end result look like similar below. The dot,dot,dot are existing line of codes.
</VirtualHost *:80>
:
.
</VirutalHost>
</VirtualHost *:443>
:
.
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/deki/dekiwiki.pem
:
.
</VirutalHost>
7. # cd /etc/httpd/conf
8. # vi httpd.conf
Within vi, search for NameVirtualHost. Below line '# SSL protocal.' add two lines:
NameVirtualHost *:80
NameVirtualHost *:443
9. Save and quit vi
10. Restart httpd service: # service httpd restart
edited 03:21, 30 Oct 2008
RewriteCond %{REQUEST_URI} !/(@api|editor|skins|config|deki)/
instead of
RewriteCond %{REQUEST_URI} !/(@api|editor|skins|config)/
as specified here https://svn.mindtouch.com/source/public/dekiwiki/9.02/config/deki-apache.conf