Jump to content

ICT:MW Installation procedure 1.43 LTS: Difference between revisions

From Costa Sano MediaWiki
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,554 edits
VisualWikitext
Created page with "= Installation Procedure for newMW (MediaWiki 1.43 LTS) = This document describes the clean, reproducible installation workflow for deploying a new MediaWiki instance (newMW) on the existing 3‑VM infrastructure. It includes directory preparation, file extraction, permissions, and the preferred ownership model for VS Code access. == 1. Preparation == All commands are executed on VM1 (Web Layer). === 1.1 Create the target directory === <pre> mkdir /var/www/newMW </pre>..."
 
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Installation Procedure for newMW (MediaWiki 1.43 LTS) =
= Installation Procedure for newMW (MediaWiki 1.43 LTS) =
This document describes the clean, reproducible installation workflow for
This document describes the clean, reproducible installation workflow for
deploying a new MediaWiki instance (newMW) on the existing 3‑VM infrastructure.
deploying a new MediaWiki instance (newMW) on the existing 3‑VM infrastructure.
It includes directory preparation, file extraction, permissions, and the
The installation is intentionally split into two phases:
preferred ownership model for VS Code access.
 
* Phase 1: Local installation and testing on VM1 (no reverse‑proxy required)
* Phase 2: Public exposure through VM3 (nginx reverse‑proxy)
 
This staged approach allows safe testing before the wiki becomes accessible
from the internet.
 
== 1. Create the newwiki Database (VM2 – Database Layer) ==
All commands in this section are executed on VM2.
 
=== 1.1 Connect to MariaDB ===
<pre>
mysql -u root -p
</pre>
 
=== 1.2 Create the database ===
<pre>
CREATE DATABASE newwiki
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;
</pre>
 
=== 1.3 Create the database user ===
Replace <code>VM1-IP</code> with the internal Hyper‑V IP of the web server.
 
<pre>
CREATE USER 'newwikiuser'@'VM1-IP' IDENTIFIED BY 'strongpassword';
</pre>
 
=== 1.4 Grant privileges ===
<pre>
GRANT ALL PRIVILEGES ON newwiki.* TO 'newwikiuser'@'VM1-IP';
FLUSH PRIVILEGES;
</pre>


== 1. Preparation ==
=== 1.5 Exit MariaDB ===
All commands are executed on VM1 (Web Layer).
<pre>
EXIT;
</pre>


=== 1.1 Create the target directory ===
== 2. Prepare the Installation Directory (VM1 – Web Layer) ==
All commands below are executed on VM1.
 
=== 2.1 Create the target directory ===
<pre>
<pre>
mkdir /var/www/newMW
mkdir /var/www/newMW
</pre>
</pre>


=== 1.2 Move into the working directory ===
=== 2.2 Move into the working directory ===
<pre>
<pre>
cd /var/www
cd /var/www
</pre>
</pre>


== 2. Download MediaWiki ==
== 3. Download MediaWiki ==
Download the latest LTS tarball (example: 1.43.8):
Download the latest LTS tarball (example: 1.43.8):


Line 25: Line 64:
</pre>
</pre>


== 3. Extract MediaWiki ==
== 4. Extract MediaWiki ==
Extract the archive. This creates a directory such as <code>mediawiki-1.43.8/</code>.
Extract the archive. This creates a directory such as <code>mediawiki-1.43.8/</code>.


Line 32: Line 71:
</pre>
</pre>


== 4. Move Extracted Files into newMW ==
== 5. Move Extracted Files into newMW ==
Move normal files:
Move normal files:


Line 57: Line 96:
</pre>
</pre>


== 5. Ownership and Permissions ==
== 6. Ownership and Permissions ==
Use the preferred ownership model to allow editing via VS Code while keeping
Use the preferred ownership model to allow editing via VS Code while keeping
Apache fully functional.
Apache fully functional.


=== 5.1 Set owner and group ===
=== 6.1 Set owner and group ===
<pre>
<pre>
chown -R mngr:apache /var/www/newMW
chown -R mngr:apache /var/www/newMW
</pre>
</pre>


=== 5.2 Ensure group write permissions ===
=== 6.2 Ensure group write permissions ===
<pre>
<pre>
chmod -R g+w /var/www/newMW
chmod -R g+w /var/www/newMW
</pre>
</pre>


=== 5.3 Apply clean directory/file permissions ===
=== 6.3 Apply clean directory/file permissions ===
Directories:
Directories:


Line 84: Line 123:
</pre>
</pre>


=== 5.4 Enable group inheritance (setgid) ===
=== 6.4 Enable group inheritance (setgid) ===
Ensures new files created inside inherit the <code>apache</code> group.
Ensures new files created inside inherit the <code>apache</code> group.


Line 91: Line 130:
</pre>
</pre>


== 6. Apache Virtual Host ==
== 7. Enable Apache to Listen on Port 8080 (VM1) & Virtual Host file ==
Create a vhost on VM1:
Apache does not automatically listen on new ports defined in VirtualHost
blocks. The port must be explicitly enabled in the main configuration.
 
=== 7.1 Edit the main Apache configuration ===
Open the file:
 
<pre>
/etc/httpd/conf/httpd.conf
</pre>
 
Locate the existing Listen directive:
 
<pre>
Listen 80
</pre>
 
Add the following line directly below it:
 
<pre>
Listen 8080
</pre>
 
=== 7.2 Validate the configuration ===
<pre>
apachectl configtest
</pre>
 
Expected output:
 
<pre>
Syntax OK
</pre>
 
=== 7.3 Restart Apache ===
<pre>
systemctl restart httpd
</pre>
 
=== 7.4 Verify Apache is listening on port 8080 ===
<pre>
ss -tlnp | grep httpd
</pre>
 
Expected result:
 
<pre>
0.0.0.0:80
0.0.0.0:8080
</pre>
 
Apache is now ready to serve the temporary local-only vhost on port 8080.
 
 
=== 7.5 Local‑Only Apache Virtual Host (VM1) ===
This vhost allows installation and testing without involving the reverse‑proxy.


<pre>
<pre>
<VirtualHost *:8080>
<VirtualHost *:8080>
     ServerName newwiki.example.com
     ServerName newmw.local
     DocumentRoot /var/www/newMW
     DocumentRoot /var/www/newMW


Line 104: Line 197:
     </Directory>
     </Directory>


     ErrorLog /var/log/httpd/newwiki-error.log
     ErrorLog /var/log/httpd/newmw-local-error.log
     CustomLog /var/log/httpd/newwiki-access.log combined
     CustomLog /var/log/httpd/newmw-local-access.log combined
</VirtualHost>
</VirtualHost>
</pre>
</pre>
Line 115: Line 208:
</pre>
</pre>


== 7. nginx Reverse‑Proxy (VM3) ==
== 8. Run the Installer Locally ==
Add a server block:
Access the installer using one of:
 
* <code>http://VM1-IP:8080</code>
* <code>http://newmw.local:8080</code> (if added to /etc/hosts)
 
Complete the installation.
 
The installer will generate a <code>LocalSettings.php</code> with:
 
<pre>
$wgServer = "http://VM1-IP:8080";
</pre>
 
Place the file in:
 
<pre>
/var/www/newMW/LocalSettings.php
</pre>
 
== 9. Local Testing ==
Before exposing the wiki publicly, verify:
 
* Page creation
* Editing
* File uploads (if enabled)
* User accounts
* Extensions
* Permissions
* Logging
 
This phase is isolated and safe.
 
== 10. Prepare for Public Access (VM3 – Reverse‑Proxy Layer) ==
Only after local testing is complete, add the nginx server block:


<pre>
<pre>
Line 137: Line 263:
</pre>
</pre>


== 8. Run the MediaWiki Installer ==
== 11. Update LocalSettings.php for Public Access ==
Navigate to:
Change:


<pre>
<pre>
https://newwiki.example.com
$wgServer = "https://newwiki.example.com";
</pre>
</pre>


Provide:
Optionally:
* Database: <code>newwiki</code>
* User: <code>newwikiuser</code>
* Password: (as created on VM2)
* Site name
* Admin account
 
Download <code>LocalSettings.php</code> and place it in:


<pre>
<pre>
/var/www/newMW/LocalSettings.php
$wgCanonicalServer = "https://newwiki.example.com";
</pre>
</pre>


== 9. Minimal Post‑Install Configuration ==
== 12. Final Verification ==
Add or verify:
* Public URL loads correctly
* <code>/wiki/Main_Page</code> resolves
* Editing works
* Uploads work
* No rewrite errors in Apache logs
* nginx proxies correctly
* MariaDB connections succeed
 
== 13. Summary ==
This procedure installs MediaWiki in two safe phases:
 
* Phase 1: Local installation and validation on VM1
* Phase 2: Public exposure through VM3
 
This staged approach avoids dependency on the reverse‑proxy during installation
and allows controlled, low‑risk rollout.
 
 
= Addendum =
 
== Adding a New Domain + Certificate on VM3 (nginx + Certbot) ==
This procedure is used when onboarding a new subdomain to the reverse‑proxy layer on VM3. 
It avoids the nginx/Certbot “missing certificate” failure by always starting with a minimal HTTP‑only configuration, issuing the certificate, and then enabling HTTPS.
 
=== 1. Create a minimal HTTP‑only reverse‑proxy config ===
Create <code>/etc/nginx/conf.d/&lt;domain&gt;.conf</code> with:
 
<syntaxhighlight lang="nginx">
# ============================================
#  Reverse proxy (HTTP only)
#  <domain>
# ============================================
 
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;


<pre>
    # ACME challenge (Certbot uses this)
$wgServer = "https://newwiki.example.com";
    location /.well-known/acme-challenge/ {
$wgScriptPath = "";
        root /usr/share/nginx/html;
$wgArticlePath = "/wiki/$1";
    }
$wgUsePathInfo = true;
 
</pre>
    # Temporary: no HTTPS redirect until certificate exists
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;
 
        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }
}
</syntaxhighlight>
 
Reload nginx:
 
<syntaxhighlight lang="bash">
sudo nginx -t
sudo systemctl reload nginx
</syntaxhighlight>
 
At this point the domain resolves over HTTP and Certbot can validate it.
 
=== 2. Issue the certificate using the nginx plugin ===
Run:
 
<syntaxhighlight lang="bash">
sudo certbot --nginx -d <domain>
</syntaxhighlight>
 
Certbot will:
* inject a temporary ACME location 
* validate the domain 
* obtain the certificate 
* install it 
* register it for automatic renewal 
 
This step only works if nginx is running without SSL errors.
 
=== 3. Replace the config with the full HTTPS reverse‑proxy ===
After the certificate exists, replace the file with:
 
<syntaxhighlight lang="nginx">
# ============================================
#  Reverse proxy (HTTPS)
#  <domain>
# ============================================
 
# --- HTTP (redirect + ACME) ---
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;
 
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
 
    return 301 https://$host$request_uri;
}
 
# --- HTTPS ---
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
 
    server_name <domain>;
 
    ssl_certificate    /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
 
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
 
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;


Enable uploads (optional):
        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;


<pre>
        proxy_buffering on;
$wgEnableUploads = true;
        proxy_buffers 16 16k;
</pre>
        proxy_buffer_size 16k;


Enable SyntaxHighlight:
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}
</syntaxhighlight>


<pre>
Reload nginx again:
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
</pre>


== 10. Verification Checklist ==
<syntaxhighlight lang="bash">
* Site loads correctly
sudo nginx -t
* <code>/wiki/Main_Page</code> resolves
sudo systemctl reload nginx
* Editing works
</syntaxhighlight>
* File uploads work (if enabled)
* No rewrite errors in Apache logs
* nginx proxies correctly
* MariaDB connections succeed


== 11. Summary ==
=== 4. Verification checklist ===
This procedure provides a clean, repeatable installation workflow for MediaWiki
* <code>curl -I https://&lt;domain&gt;</code> returns <code>200</code> or <code>301</code> 
1.43 LTS using the preferred ownership model (<code>mngr:apache</code>) and the
* Browser loads the site over HTTPS 
existing 3‑VM architecture. It ensures clarity, maintainability, and
* Login works 
successor‑friendly operation.
* File uploads work 
* Optional: <code>certbot renew --dry-run</code>

Latest revision as of 15:50, 3 April 2026

Installation Procedure for newMW (MediaWiki 1.43 LTS)

This document describes the clean, reproducible installation workflow for deploying a new MediaWiki instance (newMW) on the existing 3‑VM infrastructure. The installation is intentionally split into two phases:

  • Phase 1: Local installation and testing on VM1 (no reverse‑proxy required)
  • Phase 2: Public exposure through VM3 (nginx reverse‑proxy)

This staged approach allows safe testing before the wiki becomes accessible from the internet.

1. Create the newwiki Database (VM2 – Database Layer)

All commands in this section are executed on VM2.

1.1 Connect to MariaDB

mysql -u root -p

1.2 Create the database

CREATE DATABASE newwiki
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;

1.3 Create the database user

Replace VM1-IP with the internal Hyper‑V IP of the web server. 

CREATE USER 'newwikiuser'@'VM1-IP' IDENTIFIED BY 'strongpassword';

1.4 Grant privileges

GRANT ALL PRIVILEGES ON newwiki.* TO 'newwikiuser'@'VM1-IP';
FLUSH PRIVILEGES;

1.5 Exit MariaDB

EXIT;

2. Prepare the Installation Directory (VM1 – Web Layer)

All commands below are executed on VM1.

2.1 Create the target directory

mkdir /var/www/newMW

2.2 Move into the working directory

cd /var/www

3. Download MediaWiki

Download the latest LTS tarball (example: 1.43.8): 

wget https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.tar.gz

4. Extract MediaWiki

Extract the archive. This creates a directory such as mediawiki-1.43.8/. 

tar -xvzf mediawiki-1.43.8.tar.gz

5. Move Extracted Files into newMW

Move normal files: 

mv mediawiki-1.43.8/* newMW/

Move hidden files (e.g. .htaccess): 

mv mediawiki-1.43.8/.* newMW/ 2>/dev/null

Remove the now‑empty extraction directory: 

rmdir mediawiki-1.43.8

Remove the tarball: 

rm mediawiki-1.43.8.tar.gz

6. Ownership and Permissions

Use the preferred ownership model to allow editing via VS Code while keeping Apache fully functional.

6.1 Set owner and group

chown -R mngr:apache /var/www/newMW

6.2 Ensure group write permissions

chmod -R g+w /var/www/newMW

6.3 Apply clean directory/file permissions

Directories: 

find /var/www/newMW -type d -exec chmod 775 {} \;

Files: 

find /var/www/newMW -type f -exec chmod 664 {} \;

6.4 Enable group inheritance (setgid)

Ensures new files created inside inherit the apache group. 

chmod g+s /var/www/newMW

7. Enable Apache to Listen on Port 8080 (VM1) & Virtual Host file

Apache does not automatically listen on new ports defined in VirtualHost blocks. The port must be explicitly enabled in the main configuration.

7.1 Edit the main Apache configuration

Open the file: 

/etc/httpd/conf/httpd.conf

Locate the existing Listen directive: 

Listen 80

Add the following line directly below it: 

Listen 8080

7.2 Validate the configuration

apachectl configtest

Expected output: 

Syntax OK

7.3 Restart Apache

systemctl restart httpd

7.4 Verify Apache is listening on port 8080

ss -tlnp | grep httpd

Expected result: 

0.0.0.0:80
0.0.0.0:8080

Apache is now ready to serve the temporary local-only vhost on port 8080.


7.5 Local‑Only Apache Virtual Host (VM1)

This vhost allows installation and testing without involving the reverse‑proxy. 

<VirtualHost *:8080>
    ServerName newmw.local
    DocumentRoot /var/www/newMW

    <Directory /var/www/newMW>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/newmw-local-error.log
    CustomLog /var/log/httpd/newmw-local-access.log combined
</VirtualHost>

Restart Apache: 

systemctl restart httpd

8. Run the Installer Locally

Access the installer using one of:

Complete the installation.

The installer will generate a LocalSettings.php with: 

$wgServer = "http://VM1-IP:8080";

Place the file in: 

/var/www/newMW/LocalSettings.php

9. Local Testing

Before exposing the wiki publicly, verify:

  • Page creation
  • Editing
  • File uploads (if enabled)
  • User accounts
  • Extensions
  • Permissions
  • Logging

This phase is isolated and safe.

10. Prepare for Public Access (VM3 – Reverse‑Proxy Layer)

Only after local testing is complete, add the nginx server block: 

server {
    listen 80;
    server_name newwiki.example.com;

    location / {
        proxy_pass http://VM1-IP:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Reload nginx: 

systemctl reload nginx

11. Update LocalSettings.php for Public Access

Change: 

$wgServer = "https://newwiki.example.com";

Optionally: 

$wgCanonicalServer = "https://newwiki.example.com";

12. Final Verification

  • Public URL loads correctly
  • /wiki/Main_Page resolves
  • Editing works
  • Uploads work
  • No rewrite errors in Apache logs
  • nginx proxies correctly
  • MariaDB connections succeed

13. Summary

This procedure installs MediaWiki in two safe phases:

  • Phase 1: Local installation and validation on VM1
  • Phase 2: Public exposure through VM3

This staged approach avoids dependency on the reverse‑proxy during installation and allows controlled, low‑risk rollout.


Addendum

Adding a New Domain + Certificate on VM3 (nginx + Certbot)

This procedure is used when onboarding a new subdomain to the reverse‑proxy layer on VM3. It avoids the nginx/Certbot “missing certificate” failure by always starting with a minimal HTTP‑only configuration, issuing the certificate, and then enabling HTTPS.

1. Create a minimal HTTP‑only reverse‑proxy config

Create /etc/nginx/conf.d/<domain>.conf with: 

# ============================================
#  Reverse proxy (HTTP only)
#  <domain>
# ============================================

server {
    listen 80;
    listen [::]:80;
    server_name <domain>;

    # ACME challenge (Certbot uses this)
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    # Temporary: no HTTPS redirect until certificate exists
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;

        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }
}

Reload nginx: 

sudo nginx -t
sudo systemctl reload nginx

At this point the domain resolves over HTTP and Certbot can validate it.

2. Issue the certificate using the nginx plugin

Run: 

sudo certbot --nginx -d <domain>

Certbot will:

  • inject a temporary ACME location
  • validate the domain
  • obtain the certificate
  • install it
  • register it for automatic renewal

This step only works if nginx is running without SSL errors.

3. Replace the config with the full HTTPS reverse‑proxy

After the certificate exists, replace the file with: 

# ============================================
#  Reverse proxy (HTTPS)
#  <domain>
# ============================================

# --- HTTP (redirect + ACME) ---
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    return 301 https://$host$request_uri;
}

# --- HTTPS ---
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name <domain>;

    ssl_certificate     /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    location / {
        proxy_pass http://<backend-ip>:<backend-port>;

        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_buffering on;
        proxy_buffers 16 16k;
        proxy_buffer_size 16k;

        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Reload nginx again: 

sudo nginx -t
sudo systemctl reload nginx

4. Verification checklist

  • curl -I https://<domain> returns 200 or 301
  • Browser loads the site over HTTPS
  • Login works
  • File uploads work
  • Optional: certbot renew --dry-run
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:MW_Installation_procedure_1.43_LTS&oldid=1614"