Marc Chang's picture

I have sucessfully installed and running https://www.turnkeylinux.org/mediawiki

The server is running on a private address (192.168.x.y) with the Turnkey self-signed certificates. After adding the modifications below to make a private Wiki VisualEditor is not working. I get the error:

Error contacting the Parsoid/RESTBase server: http-request-error

I think it's because VisualEditor is doing a http request to itself and the self-signed SSL certificate is not accepted? Has anybody succesfully installed VisualEditor in a private wiki?

==

Made the following modifications in /var/www/mediawiki/LocalSettings.php

(inserted at the end of the file)

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# But allow them to read e.g., these pages:
$wgWhitelistRead =  [ "Main Page", "Help:Contents" ];
# Allow Jobs to be run
$wgWhitelistRead = [ "Special:RunJobs" ];

# Requires that a user be registered before they can edit.
$wgGroupPermissions['*']['edit'] = false;

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR
     in_array($_SERVER['REMOTE_ADDR'],
       [
         $_SERVER['SERVER_ADDR'],
         $_SERVER['HTTP_X_FORWARDED_FOR'], # if MediaWiki behind reverse proxy
         '127.0.0.1',
         'localhost',
       ]
     ) 
   ) {
  $wgGroupPermissions['*']['read'] = true;
  $wgGroupPermissions['*']['edit'] = true;
  $wgGroupPermissions['*']['writeapi'] = true;
}

 

Forum: 
Jeremy Davis's picture

I suspect that you are right that the issue is the self signed cert!

So the "proper fix" is to get an SSL cert. If your server is using a registered domain name and is publicly available, that is pretty easy to get a free cert via the Confconsole Let's Encrypt plugin.

If that's not an option, then the next best thing would probably to just use plain http (i.e. no SSL at all). To do that, you'll need to remove the http -> https redirect. Here is what the default Apache config (/etc/apache2/sites-available/mediawiki.conf) looks like (yours may be slightly different but should be close). Note that the redirect is within the '<VirtualHost *:80>' section (which is for plain http).

To remove the redirect, you just need to comment out the relevant lines. I.e. put a '#' in front of the line (it can go right at the start of the line if you like, but I prefer to indent it so it looks nicer). E.g.:

    #RewriteEngine On
    #RewriteCond %{HTTPS} !=on
    #RewriteRule ^/(.*) https://localhost/$1 [R,L]

Then you'll also need to add a DocumentRoot directive to the http config section (because there was a redirect, it wasn't required previously; now there is no redirect, you'll need it). I.e. just copy the line from the '<VirtualHost *:443>' (https) section into the '<VirtualHost *:80>' (http) section.

    DocumentRoot /var/www/mediawiki/

So the final product should look something like this:

ServerName localhost

<VirtualHost *:80>
    UseCanonicalName Off
    ServerAdmin  webmaster@localhost
    #RewriteEngine On
    #RewriteCond %{HTTPS} !=on
    #RewriteRule ^/(.*) https://localhost/$1 [R,L]
    DocumentRoot /var/www/mediawiki/
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    ServerAdmin  webmaster@localhost
    DocumentRoot /var/www/mediawiki/
    # Mediawiki itself redirects to domain
</VirtualHost>

<Directory /var/www/mediawiki/>
    Options +FollowSymLinks -Indexes
    AllowOverride All
    Require all granted
</Directory>

Finaly, you need to restart Apache to apply the new config:

systemctl restart apache2

Hopefully that fixes it. If not, please let me know and we can go from there...

Marc Chang's picture

After you have changed the Apache configuration, don't forget to set $wgServer.

It could be

$wgServer = "http://<IP ADDRESS>";

or

$wgServer = "https://<IP ADDRESS>";

 

depending on if you use http or https.

Marc Chang's picture

Jeremy,

indeed the wiki is running over http. I can use this as a "fix".

Questions:

  1. Is it possible to have the applicance trust it's own self-signed certificate?
  2. Where can I fing the public/private key of the apliance?
  3. How to I add the appliance's key details to the list od trusted certificates?
Jeremy Davis's picture

Great to hear that works.

In answer to your questions:

  1. Yes it is. I've never done it and aren't 100% clear on exactly what steps are required, but by my understanding, you essentially need to create your own certificate authority, then sign your SSL cert with your CA key. You also need to configure the system to trust your CA. I'll have a bit of a look and post back if I find anything that seems particularly relevant.
  2. The public cert and private keys are in /etc/ssl/private/, both the public cert and private key (and Diffe-Hellman parameters) are contained within the cert.pem file and the private key is also within the cert.key file (we format them like that so all the services can use the same certificate).
  3. See #1.

Add new comment