Jump to content

ICT:MW Installation procedure 1.43 LTS: Difference between revisions

From Costa Sano MediaWiki
← Older edit
Mngr (talk | contribs)
Bots, Bureaucrats, club, ict, Interface administrators, research, Suppressors, Administrators
1,554 edits
VisualWikitext
No edit summary
No edit summary
 
Line 293: Line 293:
This staged approach avoids dependency on the reverse‑proxy during installation
This staged approach avoids dependency on the reverse‑proxy during installation
and allows controlled, low‑risk rollout.
and allows controlled, low‑risk rollout.
= Addendum =
== Adding a New Domain + Certificate on VM3 (nginx + Certbot) ==
This procedure is used when onboarding a new subdomain to the reverse‑proxy layer on VM3. 
It avoids the nginx/Certbot “missing certificate” failure by always starting with a minimal HTTP‑only configuration, issuing the certificate, and then enabling HTTPS.
=== 1. Create a minimal HTTP‑only reverse‑proxy config ===
Create <code>/etc/nginx/conf.d/&lt;domain&gt;.conf</code> with:
<syntaxhighlight lang="nginx">
# ============================================
#  Reverse proxy (HTTP only)
#  <domain>
# ============================================
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;
    # ACME challenge (Certbot uses this)
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
    # Temporary: no HTTPS redirect until certificate exists
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;
        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }
}
</syntaxhighlight>
Reload nginx:
<syntaxhighlight lang="bash">
sudo nginx -t
sudo systemctl reload nginx
</syntaxhighlight>
At this point the domain resolves over HTTP and Certbot can validate it.
=== 2. Issue the certificate using the nginx plugin ===
Run:
<syntaxhighlight lang="bash">
sudo certbot --nginx -d <domain>
</syntaxhighlight>
Certbot will:
* inject a temporary ACME location 
* validate the domain 
* obtain the certificate 
* install it 
* register it for automatic renewal 
This step only works if nginx is running without SSL errors.
=== 3. Replace the config with the full HTTPS reverse‑proxy ===
After the certificate exists, replace the file with:
<syntaxhighlight lang="nginx">
# ============================================
#  Reverse proxy (HTTPS)
#  <domain>
# ============================================
# --- HTTP (redirect + ACME) ---
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
    return 301 https://$host$request_uri;
}
# --- HTTPS ---
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name <domain>;
    ssl_certificate    /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;
        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_buffering on;
        proxy_buffers 16 16k;
        proxy_buffer_size 16k;
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}
</syntaxhighlight>
Reload nginx again:
<syntaxhighlight lang="bash">
sudo nginx -t
sudo systemctl reload nginx
</syntaxhighlight>
=== 4. Verification checklist ===
* <code>curl -I https://&lt;domain&gt;</code> returns <code>200</code> or <code>301</code> 
* Browser loads the site over HTTPS 
* Login works 
* File uploads work 
* Optional: <code>certbot renew --dry-run</code>

Latest revision as of 15:50, 3 April 2026

Installation Procedure for newMW (MediaWiki 1.43 LTS)

This document describes the clean, reproducible installation workflow for deploying a new MediaWiki instance (newMW) on the existing 3‑VM infrastructure. The installation is intentionally split into two phases:

  • Phase 1: Local installation and testing on VM1 (no reverse‑proxy required)
  • Phase 2: Public exposure through VM3 (nginx reverse‑proxy)

This staged approach allows safe testing before the wiki becomes accessible from the internet.

1. Create the newwiki Database (VM2 – Database Layer)

All commands in this section are executed on VM2.

1.1 Connect to MariaDB

mysql -u root -p

1.2 Create the database

CREATE DATABASE newwiki
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;

1.3 Create the database user

Replace VM1-IP with the internal Hyper‑V IP of the web server. 

CREATE USER 'newwikiuser'@'VM1-IP' IDENTIFIED BY 'strongpassword';

1.4 Grant privileges

GRANT ALL PRIVILEGES ON newwiki.* TO 'newwikiuser'@'VM1-IP';
FLUSH PRIVILEGES;

1.5 Exit MariaDB

EXIT;

2. Prepare the Installation Directory (VM1 – Web Layer)

All commands below are executed on VM1.

2.1 Create the target directory

mkdir /var/www/newMW

2.2 Move into the working directory

cd /var/www

3. Download MediaWiki

Download the latest LTS tarball (example: 1.43.8): 

wget https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.tar.gz

4. Extract MediaWiki

Extract the archive. This creates a directory such as mediawiki-1.43.8/. 

tar -xvzf mediawiki-1.43.8.tar.gz

5. Move Extracted Files into newMW

Move normal files: 

mv mediawiki-1.43.8/* newMW/

Move hidden files (e.g. .htaccess): 

mv mediawiki-1.43.8/.* newMW/ 2>/dev/null

Remove the now‑empty extraction directory: 

rmdir mediawiki-1.43.8

Remove the tarball: 

rm mediawiki-1.43.8.tar.gz

6. Ownership and Permissions

Use the preferred ownership model to allow editing via VS Code while keeping Apache fully functional.

6.1 Set owner and group

chown -R mngr:apache /var/www/newMW

6.2 Ensure group write permissions

chmod -R g+w /var/www/newMW

6.3 Apply clean directory/file permissions

Directories: 

find /var/www/newMW -type d -exec chmod 775 {} \;

Files: 

find /var/www/newMW -type f -exec chmod 664 {} \;

6.4 Enable group inheritance (setgid)

Ensures new files created inside inherit the apache group. 

chmod g+s /var/www/newMW

7. Enable Apache to Listen on Port 8080 (VM1) & Virtual Host file

Apache does not automatically listen on new ports defined in VirtualHost blocks. The port must be explicitly enabled in the main configuration.

7.1 Edit the main Apache configuration

Open the file: 

/etc/httpd/conf/httpd.conf

Locate the existing Listen directive: 

Listen 80

Add the following line directly below it: 

Listen 8080

7.2 Validate the configuration

apachectl configtest

Expected output: 

Syntax OK

7.3 Restart Apache

systemctl restart httpd

7.4 Verify Apache is listening on port 8080

ss -tlnp | grep httpd

Expected result: 

0.0.0.0:80
0.0.0.0:8080

Apache is now ready to serve the temporary local-only vhost on port 8080.


7.5 Local‑Only Apache Virtual Host (VM1)

This vhost allows installation and testing without involving the reverse‑proxy. 

<VirtualHost *:8080>
    ServerName newmw.local
    DocumentRoot /var/www/newMW

    <Directory /var/www/newMW>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/newmw-local-error.log
    CustomLog /var/log/httpd/newmw-local-access.log combined
</VirtualHost>

Restart Apache: 

systemctl restart httpd

8. Run the Installer Locally

Access the installer using one of:

Complete the installation.

The installer will generate a LocalSettings.php with: 

$wgServer = "http://VM1-IP:8080";

Place the file in: 

/var/www/newMW/LocalSettings.php

9. Local Testing

Before exposing the wiki publicly, verify:

  • Page creation
  • Editing
  • File uploads (if enabled)
  • User accounts
  • Extensions
  • Permissions
  • Logging

This phase is isolated and safe.

10. Prepare for Public Access (VM3 – Reverse‑Proxy Layer)

Only after local testing is complete, add the nginx server block: 

server {
    listen 80;
    server_name newwiki.example.com;

    location / {
        proxy_pass http://VM1-IP:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Reload nginx: 

systemctl reload nginx

11. Update LocalSettings.php for Public Access

Change: 

$wgServer = "https://newwiki.example.com";

Optionally: 

$wgCanonicalServer = "https://newwiki.example.com";

12. Final Verification

  • Public URL loads correctly
  • /wiki/Main_Page resolves
  • Editing works
  • Uploads work
  • No rewrite errors in Apache logs
  • nginx proxies correctly
  • MariaDB connections succeed

13. Summary

This procedure installs MediaWiki in two safe phases:

  • Phase 1: Local installation and validation on VM1
  • Phase 2: Public exposure through VM3

This staged approach avoids dependency on the reverse‑proxy during installation and allows controlled, low‑risk rollout.


Addendum

Adding a New Domain + Certificate on VM3 (nginx + Certbot)

This procedure is used when onboarding a new subdomain to the reverse‑proxy layer on VM3. It avoids the nginx/Certbot “missing certificate” failure by always starting with a minimal HTTP‑only configuration, issuing the certificate, and then enabling HTTPS.

1. Create a minimal HTTP‑only reverse‑proxy config

Create /etc/nginx/conf.d/<domain>.conf with: 

# ============================================
#  Reverse proxy (HTTP only)
#  <domain>
# ============================================

server {
    listen 80;
    listen [::]:80;
    server_name <domain>;

    # ACME challenge (Certbot uses this)
    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    # Temporary: no HTTPS redirect until certificate exists
    location / {
        proxy_pass http://<backend-ip>:<backend-port>;

        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }
}

Reload nginx: 

sudo nginx -t
sudo systemctl reload nginx

At this point the domain resolves over HTTP and Certbot can validate it.

2. Issue the certificate using the nginx plugin

Run: 

sudo certbot --nginx -d <domain>

Certbot will:

  • inject a temporary ACME location
  • validate the domain
  • obtain the certificate
  • install it
  • register it for automatic renewal

This step only works if nginx is running without SSL errors.

3. Replace the config with the full HTTPS reverse‑proxy

After the certificate exists, replace the file with: 

# ============================================
#  Reverse proxy (HTTPS)
#  <domain>
# ============================================

# --- HTTP (redirect + ACME) ---
server {
    listen 80;
    listen [::]:80;
    server_name <domain>;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    return 301 https://$host$request_uri;
}

# --- HTTPS ---
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name <domain>;

    ssl_certificate     /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    location / {
        proxy_pass http://<backend-ip>:<backend-port>;

        proxy_set_header Host <domain>;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_buffering on;
        proxy_buffers 16 16k;
        proxy_buffer_size 16k;

        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Reload nginx again: 

sudo nginx -t
sudo systemctl reload nginx

4. Verification checklist

  • curl -I https://<domain> returns 200 or 301
  • Browser loads the site over HTTPS
  • Login works
  • File uploads work
  • Optional: certbot renew --dry-run
Retrieved from "https://mwiki.costasano.club/index.php?title=ICT:MW_Installation_procedure_1.43_LTS&oldid=1614"