This document describes the clean, reproducible workflow for deploying a new MediaWiki instance on the existing 3‑VM infrastructure.

The installation is intentionally split into two phases:

• Phase 1: Local installation and testing on VM1 (Apache on port 8080)
• Phase 2: Public exposure through VM3 (nginx reverse‑proxy + HTTPS)

This staged approach ensures safe testing before the wiki becomes accessible from the internet.

• VM1 (Web Layer): 192.168.33.231
• VM2 (Database Layer): 192.168.33.232
• VM3 (Reverse‑Proxy Layer): 192.168.33.233
• DB user host address (VM1 → VM2): 10.10.10.1

All commands in this section run on VM2 (192.168.33.232).

mysql -u root -p

CREATE DATABASE newwiki
  CHARACTER SET utf8mb4
  COLLATE utf8mb4_unicode_ci;

VM1 connects to MariaDB using its internal DB‑facing address: 10.10.10.1.

CREATE USER 'newwikiuser'@'10.10.10.1' IDENTIFIED BY 'strongpassword';

GRANT ALL PRIVILEGES ON newwiki.* TO 'newwikiuser'@'10.10.10.1';
FLUSH PRIVILEGES;

EXIT;

All commands below run on VM1 (192.168.33.231).

mkdir /var/www/newMW

cd /var/www

Example: MediaWiki 1.43.8 LTS.

wget https://releases.wikimedia.org/mediawiki/1.43/mediawiki-1.43.8.tar.gz

tar -xvzf mediawiki-1.43.8.tar.gz

mv mediawiki-1.43.8/* newMW/
mv mediawiki-1.43.8/.* newMW/ 2>/dev/null
rmdir mediawiki-1.43.8
rm mediawiki-1.43.8.tar.gz

Allows editing via VS Code while keeping Apache functional.

chown -R mngr:apache /var/www/newMW

chmod -R g+w /var/www/newMW

find /var/www/newMW -type d -exec chmod 775 {} \;
find /var/www/newMW -type f -exec chmod 664 {} \;

chmod g+s /var/www/newMW

Edit:

/etc/httpd/conf/httpd.conf

Add:

Listen 8080

apachectl configtest
systemctl restart httpd

ss -tlnp | grep httpd

Expected:

0.0.0.0:80
0.0.0.0:8080

Allow port 8080:

firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload

<VirtualHost *:8080>
    ServerName newmw.local
    DocumentRoot /var/www/newMW

    <Directory /var/www/newMW>
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/newmw-local-error.log
    CustomLog /var/log/httpd/newmw-local-access.log combined
</VirtualHost>

Restart Apache:

systemctl restart httpd

Access:

• http://192.168.33.231:8080
• http://newmw.local:8080 (if added to /etc/hosts)

The internal network between VM1 and VM2 uses dedicated addresses:

• VM1 (Web Layer): 10.10.10.1
• VM2 (Database Layer): 10.10.10.2

When MediaWiki (running on VM1) connects to MariaDB on VM2, the connection originates from VM1’s internal NIC. Therefore:

• VM1 connects **to** MariaDB at:

 10.10.10.2

• VM2 sees VM1 **coming from**:

 10.10.10.1

Because MariaDB authorizes users based on the client’s source address, database users must be created as:

'wikiuser'@'10.10.10.1'

This is why all MediaWiki instances on VM1 use the same host restriction. It ensures that only VM1 can authenticate to MariaDB over the internal network.

Installer will generate:

$wgServer = "http://192.168.33.231:8080";

Place LocalSettings.php in:

/var/www/newMW/LocalSettings.php

Verify:

• Page creation
• Editing
• File uploads
• User accounts
• Extensions
• Permissions
• Logging

Only proceed when everything works locally.

File: /etc/nginx/conf.d/kb.costasano.club.conf

# ============================================
#  Reverse proxy (HTTP only)
#  kb.costasano.club
# ============================================

server {
    listen 80;
    listen [::]:80;
    server_name kb.costasano.club;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    location / {
        proxy_pass http://192.168.33.231:8080;

        proxy_set_header Host kb.costasano.club;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
    }
}

Reload nginx:

sudo nginx -t
sudo systemctl reload nginx

Use the nginx plugin:

sudo certbot --nginx -d kb.costasano.club

Certbot will:

• inject temporary ACME config
• validate the domain
• obtain the certificate
• install it
• register it for renewal

# ============================================
#  Reverse proxy (HTTPS)
#  kb.costasano.club
# ============================================

# --- HTTP (redirect + ACME) ---
server {
    listen 80;
    listen [::]:80;
    server_name kb.costasano.club;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    return 301 https://$host$request_uri;
}

# --- HTTPS ---
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name kb.costasano.club;

    ssl_certificate     /etc/letsencrypt/live/kb.costasano.club/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/kb.costasano.club/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }

    location / {
        proxy_pass http://192.168.33.231:8080;

        proxy_set_header Host kb.costasano.club;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_buffering on;
        proxy_buffers 16 16k;
        proxy_buffer_size 16k;

        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

Reload nginx:

sudo nginx -t
sudo systemctl reload nginx

Change:

$wgServer = "https://kb.costasano.club";

Optional:

$wgCanonicalServer = "https://kb.costasano.club";

• curl -I https://kb.costasano.club returns 200 or 301
• Browser loads the wiki
• Editing works
• Uploads work
• No rewrite errors
• nginx proxies correctly
• MariaDB connections succeed

This procedure installs MediaWiki in two safe phases:

• Phase 1: Local installation and validation on VM1
• Phase 2: Public exposure through VM3 with HTTPS

This ensures a clean, reproducible, low‑risk deployment workflow.