A primer to setting up Mediawiki as a private slip box

Posted on November 9, 2008. Filed under: Apache, Debian, HowTo, PHP, digital privacy, sys admin, user accounts management | Tags: Apache, SSH, Mediawiki, MoinMoinWiki, camelcase, web security, TWiki, LocalSettings.php, Special:Userlogin, htpasswd, authorization pop-up, authentication, localization, WikiSysop, primer, DocBook, XML |

I’m still at setting up my virtual host. Actually, I was after something completely different — get some source DocBook XML rendered to anything presentable. I just got a clue on how to render it to HTML, so I wanted to note that down. As I am used to use a wiki as a slip box, it occured to me that having a wiki on my host right now would be nice.

Quite a while ago, I gave MoinMoinWiki a shot, but it disappointed me because of its camelcase article naming scheme. Also, I wanted to give an alternative a try, TWiki, as it’s going to be used at work and also because I know TWiki just forked. Just wanted to see it live in action, to get an impression of it; despite its fork will be its future. However, I realized TWiki relies on the same camelcased naming scheme, so I didn’t put any further effort in it when I saw it goating. In the end, I ended up with Mediawiki, once again.

Originally, I imagined: To get the box secure, keep it off the web, access it by SSH, launch a Firefox there and interact with that through the tunnel. For some reason Firefox does not launch by that way. Konqueror does, but there are situations when it’s no fun to use Konqueror, despite all its great benefits. Also, Dillo works. But… well, do you really want to use Dillo for serious day-to-day web activity?

So, despite my original wish, I gave in and looked for a way to expose the box to the web without revealing too much of it. Especially, I wanted to avoid that anyone else could even see the contents of my wiki, not to mention editing..vandalizing or simply spamming. While setting it up, for a short time, it was exposed to the internet; apparently I was lucky and it didn’t get attacked during that short period of time.

So, what did I do? I installed, configured Mediawiki. Then I applied a patch to its LocalSettings.php which disables every random passer-by of seeing anything but the Mediawiki login page. You cannot even create a new account when that patch is applied.

So, installed Mediawiki? — aptitude install mediawiki. [20090308/Update:] Now, as root, edit the /etc/apache2/conf.d/mediawiki.conf. In the first two lines of the file it says to get an alias, uncomment the [there] following line. Despite that does not work properly with virtual hosts, this is the way to make the wiki accessible at localhost/mediawiki. After actually uncommenting the line, restart Apache. Then I directed the browser to the wiki. You can do that by something like this: http://localhost/mediawiki/. I got the familiar Mediawiki “I’m ready to setup” page, filled in the demanded input fields, confirmed. When Mediawiki was done, I moved the LocalSettings.php around, as Mediawiki demanded. Once done with that, I applied the patch:

## added by dagobart ---1-
# added, according to http://www.walkingpaper.org/362

# This snippet prevents editing from anonymous users
$wgGroupPermissions['*']['edit'] = false;

# This lists pages anonymous (not-logged-in) users may see (only the log-in)
$wgWhitelistRead = array("Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgWhitelistRead = array("Spezial:Userlogin", "-", "MediaWiki:Monobook.css" ); # added by dagobart
$wgGroupPermissions['*']['read'] = false;

# This snippet prevents anonymous users registering
$wgGroupPermissions['*']['createaccount'] = false;

## added by dagobart ---9-

I put this patch at the end of LocalSettings.php, right before that ?> line at the very end of the file.

Note: In case you’re using any alternative localization of Mediawiki but the English one, you might need to replace the line

$wgWhitelistRead = array("Special:Userlogin", "-", "MediaWiki:Monobook.css" );

If you chose German localization the following probably will do:

$wgWhitelistRead = array("Spezial:Userlogin", "-", "MediaWiki:Monobook.css" );

However, in case of any alternative localization you easily can find out by what to replace the line: Just direct your browser to your wiki, then try to login. Which probably will fail. However, the URL in the address bar will reveal the address of the page you tried to access. Snoop around in that URL, and you will find something that looks similarly to that mentioned Spezial:Userlogin. Try whether or not it’ll work to use that snippet of code instead: Copy it from the URL, paste it to the mentioned line of the LocalSettings.php.

Once you applied the patch, you’ll have the issue noone can subscribe to your wiki. In case you set it up for a team to work with the wiki, this implies noone but you will be able to use the wiki at all. So, now’s its your duty to set up new users. You can do so by logging in to the wiki as its admin, say WikiSysop, then visit Spezial:Userlogin&type=signup (or what’s appropriate for your localization of mediawiki, say Special:Userlogin for an English localization). There, you can set up new users. Flipside is, that you have to pick passwords for them, too, and then urge them to change their passwords, however.

Alternatively, you can get here by following these links of your virgin Mediawiki installation: Special pages > Log in > Add new user. (The names of these links may vary, depending on the localization you’ve chosen for your Mediawiki install.)

Done with that, there’ll remain one issue: Despite Mediawiki now prohibits random passers-by to access pages of your wiki, they’ll still be able to access non-page contents of your wiki, e.g. images. One of the original poster’s commenters mentioned that issue:

Is there any way to prevent access of media/image files by non-logged in users? With this solution in place, any user (logged in or not) can access media/image files so long as they have the direct URL to the file.

To get over that, you might want to password-protect the whole mediawiki site. You can do so by using a simple Apache standard utility: Whenever someone wants to access your mediawiki site, a authentication dialog will pop up in the user’s browser, demanding a valid user name and password for accessing anything of the mediawiki site.

You can achieve that this way:

Set up some user name/password pairs. You should do this at least for your WikiSysop user and for that one user you’re about to use on a day to day basis for working with your wiki; also for any other people you want to grant access to your wiki. You can do this, as root, in bash:
```
# htpasswd /etc/apache2/.htpasswd WikiSysop
New password:
Re-type new password:
```
Note: In case that there’s not yet any /etc/apache2/.htpasswd file, you must create it. For that, instead, use the htpasswd -c /etc/apache2/.htpasswd WikiSysop command. — However, don’t re-use that command, since it’s going to wipe out any ever previously set up htpasswords. Once you called htpasswd with the -c, don’t use it with that parameter ever again.

Now, you’ve got some valid users and their respective passwords. Now you need to get them applied. For this, modifiy the mediawiki config file for Apache. Here’s how the first block of /etc/mediawiki1.7/apache.conf looks in the original:

<Directory /var/lib/mediawiki1.7/>
        Options +FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
</Directory>

Now, pick your preferred editor, e.g. nano, and make that block look like this:

<Directory /var/lib/mediawiki1.7/>
        Options +FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
        AuthType Basic
        AuthName "the wiki"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
</Directory>

Now, save that and restart Apache: /etc/init.d/apache2 restart.

Now, your wiki will be accessible to registered users only, and not even any images or other static content of your wiki will be visible to any strangers.

However, despite the htpasswd way blocks uninvited users from seeing your wiki’s files, the username/password pairs your users enter will be transferred insecurely across the internet. One could sniff those pairs out and then access the wiki, alleging to be someone else, someone who’s allowed to participate. — This could be fixed by using https instead of plain http.

NB. As it’s not the most lovely thing one can imagine to completely remove a Mediawiki, I did this primer from memory, by command history and by files I had at hand and changed during the setup process. However, you might need to restart Apache here and there in between, despite I didn’t mention it explicitly.

20090309/Update: Installing MediaWiki on another machine right now, I forgot to set the language settings from English to German. — In case you did anything similar and worry about the English MediaWiki sidebar links etc, here’s my solution. Be aware that this might be a suboptimal one, but for me, so far, it works:

Drop the database you just set up for MediaWiki: Call mysql -u root -p. There, drop wikidb. Leave.
Remove the LocalSettings.php file.
Go back to the initial mediawiki web page, say http://localhost/mediawiki/.

There you have it: Again, the initial “now set up your wiki” page.

Another note: For some reason I couldn’t remember the MySQL root password. Here’s a quick HowTo on how to reset it on a Debian machine. [i]

_____
Link tip: Chaosradio Express podcast [de] on MediaWiki (talk [de])

Make a Comment