「Install MediaWiki 1.35 on FreeBSD 12.2」修訂間的差異

出自ChevyneWiki
跳至導覽 跳至搜尋
 
(未顯示同一使用者於中間所作的 6 次修訂)
行 6: 行 6:
 
** MediaWiki 1.35.0
 
** MediaWiki 1.35.0
 
** SQLite 3.33.0
 
** SQLite 3.33.0
* 網址與憑證
 
** 網址 - <code>chevyne.at.tw</code>
 
** TLS憑證 - [https://letsencrypt.org Let's Encrypt] 推薦使用的 ACME 客戶端 [[ACME Client Certbot Install Let's Encrypt CA in FreeDSB Nginx|Certbot]]
 
 
== 安裝套件 ==
 
== 安裝套件 ==
 
pkg install -y nginx mediawiki135-php74 git php74-pdo_sqlite php74-pecl-APCu php74-pecl-imagick php74-gd php74-openssl
 
pkg install -y nginx mediawiki135-php74 git php74-pdo_sqlite php74-pecl-APCu php74-pecl-imagick php74-gd php74-openssl
行 23: 行 20:
 
啟動 PHP
 
啟動 PHP
 
service php-fpm start
 
service php-fpm start
 
=== 網址與憑證 ===
 
網址 - <code>chevyne.at.tw</code>
  +
 
TLS憑證 - [https://letsencrypt.org Let's Encrypt] 推薦使用的 ACME 客戶端 [[ACME Client Certbot Install Let's Encrypt CA in FreeDSB Nginx|Certbot]]
  +
  +
DH param
  +
openssl dhparam 4096 -out /usr/local/etc/nginx/cert/dhparam.pem
 
=== 測試 nginx & TLS ===
 
=== 測試 nginx & TLS ===
 
編輯 <code>/usr/local/etc/nginx/nginx.conf</code>,使用以下測試配置:
 
編輯 <code>/usr/local/etc/nginx/nginx.conf</code>,使用以下測試配置:
行 36: 行 40:
 
listen [::]:80;
 
listen [::]:80;
 
server_name chevyne.at.tw;
 
server_name chevyne.at.tw;
  +
add_header Strict-Transport-Security "max-age=31536000";
 
 
return 301 https://$server_name$request_uri;
 
return 301 https://$server_name$request_uri;
 
}
 
}
 
server {
 
server {
listen 443;
+
listen 443 ssl http2;
listen [::]:443;
+
listen [::]:443 ssl http2;
server_name chevyne.at.tw;
+
server_name chevyne.at.tw;
add_header Strict-Transport-Security "max-age=31536000";
 
 
 
 
add_header Strict-Transport-Security "max-age=63072000" always;
ssl on;
 
  +
ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
+
ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
  +
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
ssl_ciphers ECDH+AESGCM:EDCH+AES256:ECDH+AES128:!MD5:!aNULL;
 
  +
ssl_prefer_server_ciphers on;
 
ssl_session_cache shared:SSL:10m;
+
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1h;
+
ssl_session_timeout 1440m;
  +
ssl_session_tickets off;
ssl_stapling on;
 
  +
ssl_stapling_verify on;
 
 
ssl_protocols TLSv1.2 TLSv1.3;
 
ssl_prefer_server_ciphers off;
  +
  +
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
  +
 
ssl_stapling on;
 
ssl_stapling_verify on;
 
 
 
location / {
 
location / {
行 82: 行 92:
 
}
 
}
 
}
 
}
  +
建立 SQLite 資料目錄
  +
cd /usr/local/www
  +
mkdir data
  +
chmod a+w data
 
現在連到 https://chevyne.at.tw/w 並完成安裝程序。
 
現在連到 https://chevyne.at.tw/w 並完成安裝程序。
   
行 107: 行 121:
 
listen [::]:80;
 
listen [::]:80;
 
server_name chevyne.at.tw;
 
server_name chevyne.at.tw;
  +
add_header Strict-Transport-Security "max-age=31536000";
 
 
return 301 https://$server_name$request_uri;
 
return 301 https://$server_name$request_uri;
 
}
 
}
 
 
 
server {
 
server {
listen 443;
+
listen 443 ssl;
listen [::]:443;
+
listen [::]:443 ssl;
server_name chevyne.at.tw;
+
server_name chevyne.at.tw;
  +
add_header Strict-Transport-Security "max-age=31536000";
 
 
add_header Strict-Transport-Security "max-age=63072000" always;
  +
 
ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
  +
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
  +
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
  +
 
ssl_session_cache shared:le_nginx_SSL:10m;
 
ssl_session_timeout 1440m;
  +
ssl_session_tickets off;
  +
 
ssl_protocols TLSv1.2 TLSv1.3;
 
ssl_prefer_server_ciphers off;
  +
  +
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
 
 
ssl_stapling on;
ssl on;
 
 
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
 
ssl_certificate_key /etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
ssl_ciphers ECDH+AESGCM:EDCH+AES256:ECDH+AES128:!MD5:!aNULL;
 
ssl_prefer_server_ciphers on;
 
ssl_session_cache shared:SSL:10m;
 
ssl_session_timeout 1h;
 
ssl_stapling on;
 
ssl_stapling_verify on;
 
 
 
 
root /usr/local/www/wiki;
 
root /usr/local/www/wiki;

於 2021年3月5日 (五) 15:34 的最新修訂

  • 時間: 2020-12-30
  • 安裝 MediaWiki 1.35 在 FreeBSD 12.2
    • FreeBSD 12.2
    • Nginx 1.18.0
    • PHP 7.4.13
    • MediaWiki 1.35.0
    • SQLite 3.33.0

安裝套件

pkg install -y nginx mediawiki135-php74 git php74-pdo_sqlite php74-pecl-APCu php74-pecl-imagick php74-gd php74-openssl
sysrc nginx_enable="YES"
sysrc php_fpm_enable="YES"

配置 PHP

配置PHP,以使用unix domain socket而不是TCP/IP。

編輯 /usr/local/etc/php-fpm.d/www.conf,並更改listen指令:

listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

啟動 PHP

service php-fpm start

網址與憑證

網址 - chevyne.at.tw

TLS憑證 - Let's Encrypt 推薦使用的 ACME 客戶端 Certbot

DH param

openssl dhparam 4096 -out /usr/local/etc/nginx/cert/dhparam.pem

測試 nginx & TLS

編輯 /usr/local/etc/nginx/nginx.conf,使用以下測試配置:

worker_processes auto;

events {
	worker_connections  1024;
}

http {
	server {
		listen 80;
		listen [::]:80;
		server_name chevyne.at.tw;

		return 301 https://$server_name$request_uri;
	}
	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
               server_name chevyne.at.tw;

               add_header Strict-Transport-Security "max-age=63072000" always;

               ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
               ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
               ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;

               ssl_session_cache shared:le_nginx_SSL:10m;
               ssl_session_timeout 1440m;
               ssl_session_tickets off;

               ssl_protocols TLSv1.2 TLSv1.3;
               ssl_prefer_server_ciphers off;

               ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

               ssl_stapling        on;
               ssl_stapling_verify on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;
		}
	}
}

啟動 nginx:

service nginx start

確定一切正常。

啟用 wiki

一切正常後,建立 symlink:

mkdir /usr/local/www/wiki
ln -s /usr/local/www/mediawiki /usr/local/www/wiki/w

將下面加到 nginx.conf

location /w {
	root /usr/local/www/wiki;
	index index.php;
	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $request_filename;
		include fastcgi_params;
	}
}

建立 SQLite 資料目錄

cd /usr/local/www
mkdir data
chmod a+w data

現在連到 https://chevyne.at.tw/w 並完成安裝程序。

安裝程序將生成一個 LocalSettings.php文件。

將其複製到服務器:

 scp LocalSettings.php chevyne.at.tw:/usr/local/www/mediawiki

啟用短網址

要啟用短URL,請使用以下 nginx.conf 配置:

worker_processes auto;

events {
	worker_connections 1024;
}

http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;

	server {
		listen 80;
		listen [::]:80;
		server_name chevyne.at.tw;

		return 301 https://$server_name$request_uri;
	}

	server {
		listen 443 ssl;
		listen [::]:443 ssl;
               server_name chevyne.at.tw;

               add_header Strict-Transport-Security "max-age=63072000" always;

               ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
               ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
               ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;

               ssl_session_cache shared:le_nginx_SSL:10m;
               ssl_session_timeout 1440m;
               ssl_session_tickets off;

               ssl_protocols TLSv1.2 TLSv1.3;
               ssl_prefer_server_ciphers off;

               ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

               ssl_stapling        on;
               ssl_stapling_verify on;

		root /usr/local/www/wiki;
		index index.php;

		location / {
			rewrite ^/$ https://chevyne.at.tw/wiki permanent;
		}

		location /w {
			location ~ \.php$ {
				try_files $uri =404;
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				fastcgi_pass unix:/var/run/php-fpm.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $request_filename;
				include fastcgi_params;
			}
		}

		location /w/images {
			location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
				try_files $uri $uri/ @thumb;
			}
		}
		location /w/images/deleted {
			# Deny access to deleted images folder
			deny all;
		}

		location /w/cache       { deny all; }
		location /w/languages   { deny all; }
		location /w/maintenance { deny all; }
		location /w/serialized  { deny all; }
		location ~ /.(svn|git)(/|$) { deny all; }
		location ~ /.ht { deny all; }

		location /wiki {
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;
			fastcgi_pass unix:/var/run/php-fpm.sock;
		}

		location @thumb {
			rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
			rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;
			fastcgi_pass unix:/var/run/php-fpm.sock;
		}

		error_page 500 502 503 504 /50x.html;
		location = /50x.html {
			root /usr/local/www/nginx-dist;
		}
	}
}

然後編輯 LocalSettings.php 以啟用短網址:

$wgScriptPath = "/w";
$wgScriptExtension = ".php";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;

現在完成。

參考連結