How do I...Provide HTTPS access to Deki Wiki?
Table of contents
NOTE: SSL support will be fully added in version 1.8.3 of Deki Wiki. This document assumes you're using version 1.8.3 or higher.
Modify your LocalSettings.php
Make sure your LocalSettings.php files contains the following:
$wgDreamServer = "http://localhost:8081"; $wgDekiApi = "deki";
Note: If you've moved your DekiHost to a different server or port, you'll need to modify the $wgDreamServer key in localsettings as well as your Apache mod_proxy ProxyPass and ProxyPassReverse.
Install existing SSL certificate
If you already have an SSL certificate do the following:
mkdir /etc/apache2/ssl
Copy the file containing your PEM encoded private key and cert file:
cp mycert.pem /etc/apache2/ssl/apache2.pem
Create a self-signed certificate
If you don't already have an SSL certificate, do the following to generate a self-signed cert:
mkdir /etc/apache2/ssl apt-get install ssl-cert make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache2.pem
If you don't want to install the ssl-cert package you can manually create the file like this:
openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache2.pem -keyout /etc/apache2/ssl/apache2.pem
Configure Apache
Add "Listen 443" to /etc/apache2/ports.conf
Edit your /etc/apache2/sites-available/deki file and make sure it looks like this:
<VirtualHost *:443> ServerName deki-hayes SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache2.pem ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log common DocumentRoot "/var/www/deki-hayes" RewriteEngine On RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^/$ /index.php?title= [L,NE] RewriteCond %{REQUEST_URI} !/(@api|editor|skins|config)/ RewriteCond %{REQUEST_URI} !/(redirect|texvc|index|Version).php RewriteCond %{REQUEST_URI} !/error/(40(1|3|4)|500).html RewriteCond %{REQUEST_URI} !/favicon.ico RewriteCond %{REQUEST_URI} !/robots.txt RewriteCond %{QUERY_STRING} ^$ [OR] %{REQUEST_URI} ^/Special:Search RewriteRule ^/(.*)$ /index.php?title=$1 [L,QSA,NE] # deki-api uses encoded slashes in query parameters so AllowEncodedSlashes must be On AllowEncodedSlashes On # mod_proxy rules ProxyPass /@api http://localhost:8081 retry=1 ProxyPassReverse /@api http://localhost:8081 SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </VirtualHost>
Enable the apache ssl module
a2enmod ssl
Restart apache
/etc/init.d/apache2 restart
Mixed Mode
If you want to enable both unsecured & secure communications make sure you have the following in your apache config
NameVirtualHost *:443 NameVirtualHost *:80
Then duplicate your vhost section making sure to include the SSL directive for the SSL enabled section. Each section should be defined with the port to access it with. Here is the snippet for each section's VirtualHost directive.
<VirtualHost *:80>
# snip
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache2.pem
# snip
</VirtualHost>Authenticating apache2 against the Wiki
Extracted from here by the author.
It may be desirable to authenticate the SSL sessions against the wiki's internal user database. There are lots of tools to authenticate against SQL servers, but none of them work with Dekiwiki because the wiki does not store it's password in any conventional way. Normal Apache2 auth mechanisms expects the passwords to be stored as a simple hash but deki is more cunning:
crypt_pass = md5( user_id & "-" & md5( clear_password ) )
The best tool to handle custom authentication mechanisms appears to be mod_authnz_external, far as this application is concerned it seems to work well. After enabling the mod in Apache (see documentation for the module), all that is needed is to add the following to the <VirtualHost *:443> section:
AddExternalAuth dekisql-auth /usr/sbin/dekisql-auth.pl SetExternalAuthMethod dekisql-auth pipe <Location /> SSLRequireSSL AuthType Basic AuthName "Deki - Restricted" AuthBasicProvider external AuthExternal dekisql-auth require valid-user </Location>
Then finally there is the script, all it happens to be is the SQL script supplied with the external authnz module with some changes:
my $dbq = $dbh->prepare("select user_name as username, user_password as password, user_id as userid from users where user_name like \'$user\' and user_active=1;"); and under the "accepted" conditional statement change it to the following from the simple comparison that was there before:
if ($row->{password} eq md5_hex($row->{userid} . '-' . md5_hex($pass))) { Optionally, to aid diagnostics, also add a line to the "else" after the accepted message to show what happened if the password was rejected:
print STDERR $row->{userid} . " - " . md5_hex($row->{userid} . '-' . md5_hex($pass)) . "\n";
this code is added to /etc/apache2/sites-available/deki
<VirtualHost *:80>
ServerName localhost
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} HTTP
RewriteRule ^(.*) https://%{HTTP_HOST}$1 [R,L]
AllowEncodedSlashes On
ProxyPass /@api http://localhost:8081 retry=1
ProxyPassReverse /@api http://localhost:8081
</VirtualHost>
Is their a more direct methiod some one could point me toward to address this.
1. The Apache2 config is here /etc/apache2/sites-available/dekiwiki (instead of [...]/deki)
2. I also needed to update the Proxy rules ...
ProxyPass /@api http://localhost:8081 retry=1
ProxyPassReverse /@api http://localhost:8081
to
ProxyPass /@api https://localhost:8081 retry=1
ProxyPassReverse /@api https://localhost:8081
... quite obvious when you think about it ;-)