「Install MediaWiki 1.35 on FreeBSD 12.2」修訂間的差異

出自ChevyneWiki
跳至導覽 跳至搜尋
 
行 53: 行 53:
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
 
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
 
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
  +
 
ssl_session_cache shared:le_nginx_SSL:10m;
 
ssl_session_timeout 1440m;
 
ssl_session_tickets off;
 
 
 
ssl_protocols TLSv1.2 TLSv1.3;
 
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
 
ssl_prefer_server_ciphers off;
 
ssl_prefer_server_ciphers off;
 
 
 
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_session_cache shared:SSL:10m;
 
ssl_session_timeout 1h;
 
ssl_session_tickets off;
 
 
 
 
ssl_stapling on;
 
ssl_stapling on;
行 134: 行 135:
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
 
ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
 
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
 
ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;
  +
 
ssl_session_cache shared:le_nginx_SSL:10m;
 
ssl_session_timeout 1440m;
 
ssl_session_tickets off;
 
 
 
ssl_protocols TLSv1.2 TLSv1.3;
 
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
 
ssl_prefer_server_ciphers off;
 
ssl_prefer_server_ciphers off;
 
 
 
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_session_cache shared:SSL:10m;
 
ssl_session_timeout 1h;
 
ssl_session_tickets off;
 
 
 
 
ssl_stapling on;
 
ssl_stapling on;

於 2021年3月5日 (五) 15:34 的最新修訂

  • 時間: 2020-12-30
  • 安裝 MediaWiki 1.35 在 FreeBSD 12.2
    • FreeBSD 12.2
    • Nginx 1.18.0
    • PHP 7.4.13
    • MediaWiki 1.35.0
    • SQLite 3.33.0

安裝套件

pkg install -y nginx mediawiki135-php74 git php74-pdo_sqlite php74-pecl-APCu php74-pecl-imagick php74-gd php74-openssl
sysrc nginx_enable="YES"
sysrc php_fpm_enable="YES"

配置 PHP

配置PHP,以使用unix domain socket而不是TCP/IP。

編輯 /usr/local/etc/php-fpm.d/www.conf,並更改listen指令:

listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

啟動 PHP

service php-fpm start

網址與憑證

網址 - chevyne.at.tw

TLS憑證 - Let's Encrypt 推薦使用的 ACME 客戶端 Certbot

DH param

openssl dhparam 4096 -out /usr/local/etc/nginx/cert/dhparam.pem

測試 nginx & TLS

編輯 /usr/local/etc/nginx/nginx.conf,使用以下測試配置:

worker_processes auto;

events {
	worker_connections  1024;
}

http {
	server {
		listen 80;
		listen [::]:80;
		server_name chevyne.at.tw;

		return 301 https://$server_name$request_uri;
	}
	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
               server_name chevyne.at.tw;

               add_header Strict-Transport-Security "max-age=63072000" always;

               ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
               ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
               ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;

               ssl_session_cache shared:le_nginx_SSL:10m;
               ssl_session_timeout 1440m;
               ssl_session_tickets off;

               ssl_protocols TLSv1.2 TLSv1.3;
               ssl_prefer_server_ciphers off;

               ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

               ssl_stapling        on;
               ssl_stapling_verify on;

		location / {
			root /usr/local/www/nginx;
			index index.html index.htm;
		}
	}
}

啟動 nginx:

service nginx start

確定一切正常。

啟用 wiki

一切正常後,建立 symlink:

mkdir /usr/local/www/wiki
ln -s /usr/local/www/mediawiki /usr/local/www/wiki/w

將下面加到 nginx.conf

location /w {
	root /usr/local/www/wiki;
	index index.php;
	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $request_filename;
		include fastcgi_params;
	}
}

建立 SQLite 資料目錄

cd /usr/local/www
mkdir data
chmod a+w data

現在連到 https://chevyne.at.tw/w 並完成安裝程序。

安裝程序將生成一個 LocalSettings.php文件。

將其複製到服務器:

 scp LocalSettings.php chevyne.at.tw:/usr/local/www/mediawiki

啟用短網址

要啟用短URL,請使用以下 nginx.conf 配置:

worker_processes auto;

events {
	worker_connections 1024;
}

http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;

	server {
		listen 80;
		listen [::]:80;
		server_name chevyne.at.tw;

		return 301 https://$server_name$request_uri;
	}

	server {
		listen 443 ssl;
		listen [::]:443 ssl;
               server_name chevyne.at.tw;

               add_header Strict-Transport-Security "max-age=63072000" always;

               ssl_certificate /usr/local/etc/letsencrypt/live/chevyne.at.tw/fullchain.pem;
               ssl_certificate_key /usr/local/etc/letsencrypt/live/chevyne.at.tw/privkey.pem;
               ssl_dhparam /usr/local/etc/nginx/cert/dhparam.pem;

               ssl_session_cache shared:le_nginx_SSL:10m;
               ssl_session_timeout 1440m;
               ssl_session_tickets off;

               ssl_protocols TLSv1.2 TLSv1.3;
               ssl_prefer_server_ciphers off;

               ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

               ssl_stapling        on;
               ssl_stapling_verify on;

		root /usr/local/www/wiki;
		index index.php;

		location / {
			rewrite ^/$ https://chevyne.at.tw/wiki permanent;
		}

		location /w {
			location ~ \.php$ {
				try_files $uri =404;
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				fastcgi_pass unix:/var/run/php-fpm.sock;
				fastcgi_index index.php;
				fastcgi_param SCRIPT_FILENAME $request_filename;
				include fastcgi_params;
			}
		}

		location /w/images {
			location ~ ^/w/images/thumb/(archive/)?[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ {
				try_files $uri $uri/ @thumb;
			}
		}
		location /w/images/deleted {
			# Deny access to deleted images folder
			deny all;
		}

		location /w/cache       { deny all; }
		location /w/languages   { deny all; }
		location /w/maintenance { deny all; }
		location /w/serialized  { deny all; }
		location ~ /.(svn|git)(/|$) { deny all; }
		location ~ /.ht { deny all; }

		location /wiki {
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root/w/index.php;
			fastcgi_pass unix:/var/run/php-fpm.sock;
		}

		location @thumb {
			rewrite ^/w/images/thumb/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2;
			rewrite ^/w/images/thumb/archive/[0-9a-f]/[0-9a-f][0-9a-f]/([^/]+)/([0-9]+)px-.*$ /w/thumb.php?f=$1&width=$2&archived=1;
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root/w/thumb.php;
			fastcgi_pass unix:/var/run/php-fpm.sock;
		}

		error_page 500 502 503 504 /50x.html;
		location = /50x.html {
			root /usr/local/www/nginx-dist;
		}
	}
}

然後編輯 LocalSettings.php 以啟用短網址:

$wgScriptPath = "/w";
$wgScriptExtension = ".php";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;

現在完成。

參考連結