Mediawiki

From Pozzo-Balbi Help
Jump to: navigation, search

Mediawiki is the program that runs Wikipedia and is useful as information database in an intranet or the internet. This article assumes you have a LAMP server running.




Install bootstrap and chameleon-skin

composer update --no-dev composer require "mediawiki/bootstrap:1.3" composer require "mediawiki/chameleon-skin:1.7.1" composer update --no-dev maintenance/update.php --skip-external-dependencies maintenance/update.php



Install Mediawiki

Unpack mediawiki tar ball into /var/www/html/w

Open https://www.example.com/w and follow instructions to generate LocalSettings.php

Copy settings to file /var/www/html/w/LocalSettings.php

Delete subdirectory mw-config, e.g.

rm -rf /var/www/html/w/mw-config

Secure LocalSettings.php

chown root:apache /var/www/html/w/LocalSettings.php
chmod 640 /var/www/html/w/LocalSettings.php

Check log files to see no one had access to installation settings. Update httpd.conf settings, since in standard apache 2.4 installation on Scientific Linux 7.2 the use of .htaccess files is disables under /var/www/html. There are two options. First enable use of .htaccess files and second, manually configure the directories as needed. Performance wise the second method is preferred.

First method:

cat >> /etc/httpd/conf.d/custom.conf << EOF
<Directory "/var/www/html/w">
 AllowOverride All
</Directory>
EOF

Second method:

cat >> /etc/httpd/conf.d/custom.conf << EOF
<Directory "/var/www/html/w/cache">
 Require all denied
</Directory>
<Directory "/var/www/html/w/extensions/Math/math">
 Require all denied
</Directory>
<Directory "/var/www/html/w/images">
# Protect against bug 28235
<IfModule rewrite_module>
       RewriteEngine On
       RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22<>|%]+(#|\?|$) [nocase]
       RewriteRule . - [forbidden]
       # Fix for bug T64289
       Options +FollowSymLinks
</IfModule>
</Directory>
<Directory "/var/www/html/w/includes">
 Require all denied
</Directory>
<Directory "/var/www/html/w/languages">
 Require all denied
</Directory>
<Directory "/var/www/html/w/maintenance">
 Require all denied
</Directory>
<Directory "/var/www/html/w/serialized">
 Require all denied
</Directory>
<Directory "/var/www/html/w/tests">
 Require all denied
</Directory>
EOF


Customizations

Chameleon skin

Install https://www.mediawiki.org/wiki/Skin:Chameleon Chameleon skin. It is a responsive 1-column skin based on Twitter bootstrap 3.0. First install composer and then run the following commands.

yum -y install compser
cd /var/www/html/w
composer require mediawiki/chameleon-skin "1.*"

No need to edit LocalSettings.php to enable chameleon. See further down how to set as default theme.


LocalSettings.php

Edit LocalSettings.php as follows (except were noted differently). Here https://www.mediawiki.org/wiki/Manual:Configuration_settings is an overview all variables.


Disable default extension

Disable the following extensions:

#wfLoadExtension( 'Gadgets' ); # reuse user javascript, css
#wfLoadExtension( 'InputBox' ); # creates an input box that can be processed
#wfLoadExtension( 'ParserFunctions' ); # offers calculation of basic math/logic calculations
#wfLoadExtension( 'Poem' ); # another form of formatting
#wfLoadExtension( 'SyntaxHighlight_GeSHi' ); # syntax highlight, uses bundeled executable


Add Chameleon skin

#Add skin
$wgDefaultSkin='chameleon';
#$wgDefaultSkin = "vector";
#wfLoadSkin( 'Vector' );


Alias

Edit /etc/httpd/conf.d/ssl.conf and add

<VirtualHost _default_:443>
Alias /PATH /var/www/html/w/index.php
#Alias
$wgArticlePath = "/PATH/$1";


Captcha

Captcha, while some find it annoying. is a (still) effective way to reduce/block automated unwanted content (SPAM). And not to forget, most of them violate accessibility principles. Standard modules are mostly ineffective, see https://www.mediawiki.org/wiki/Extension:ConfirmEdit for comparison table. One may want to alter SimpleCaptcha or MathCaptcha or create custom questions.

#Captcha
wfLoadExtension( 'ConfirmEdit' ); # Note should already be enabled
#wfLoadExtension( 'ConfirmEdit/Math' ); # Only if Math is installed and you want math problems
$wgCaptchaTriggers['edit']          = true; // Would check on every edit
$wgCaptchaTriggers['create']        = true; // Check on page creation.
$wgCaptchaTriggers['sendemail']     = true; // Special:Emailuser
#$wgCaptchaTriggers['addurl']        = true;  // Check on edits that add URLs
$wgCaptchaTriggers['createaccount'] = true;  // Special:Userlogin&type=signup
$wgCaptchaTriggers['badlogin']      = true;  // Special:Userlogin after failure


Debug

#Debug information, enable as needed
#error_reporting( -1 );
#ini_set( 'display_errors', 1 );
#$wgDebugComments = true;
#$wgDebugDumpSql  = true;
#$wgDebugLogFile = '/var/www/html/w/mediawiki.log';
#$wgDebugToolbar = true;
#$wgDevelopmentWarnings = true;
#$wgShowDBErrorBacktrace = true;
#$wgShowDebug = true;
#$wgShowExceptionDetails = true;
#$wgShowSQLErrors = true;
#$wgDebugLogGroups['Math'] = array( 'level' => 'info', 'destination' => '/var/www/html/w/mediawiki.log' );


Feeds

#Disable feeds
$wgFeed = false;


Flagged revision

See https://www.mediawiki.org/wiki/Extension:FlaggedRevs for download and installation instructions. See https://www.mediawiki.org/wiki/Help:Extension:FlaggedRevs for instructions.

#Enable flagged revision
require_once("$IP/extensions/FlaggedRevs/FlaggedRevs.php");
$wgFlaggedRevsStatsAge = false;


Frame

#Framing disabled
$wgBreakFrames = true;


Links

#Links
$wgNoFollowLinks = false;


Math

See https://www.mediawiki.org/wiki/Extension:Math for download and installation details.

#Math extension
wfLoadExtension( 'Math' );
$wgMathValidModes[] = 'mathml';
$wgDefaultUserOptions['math'] = 'mathml';
$wgMathMathMLUrl = 'http://192.168.1.1:10044/'; # IP of server running Mathoid


Password policy

#Password policy
$wgPasswordPolicy = array(
    'policies' => array(
	'bureaucrat' => array(
	    'MinimalPasswordLength' => 8,
	    'MinimumPasswordLengthToLogin' => 8,
	    'PasswordCannotMatchUsername' => true,
	    'PasswordCannotMatchBlacklist' => true,
	    'MaximalPasswordLength' => 64,
	),
	'sysop' => array(
	    'MinimalPasswordLength' => 8,
	    'MinimumPasswordLengthToLogin' => 8,
	    'PasswordCannotMatchUsername' => true,
	    'PasswordCannotMatchBlacklist' => true,
	    'MaximalPasswordLength' => 64,
	),
	'bot' => array(
	    'MinimalPasswordLength' => 8,
	    'MinimumPasswordLengthToLogin' => 8,
	    'PasswordCannotMatchUsername' => true,
	    'PasswordCannotMatchBlacklist' => true,
	    'MaximalPasswordLength' => 64,
	),
	'default' => array(
	    'MinimalPasswordLength' => 8,
	    'MinimumPasswordLengthToLogin' => 8,
	    'PasswordCannotMatchUsername' => true,
	    'PasswordCannotMatchBlacklist' => true,
	    'MaximalPasswordLength' => 64,
	),
    ),
    'checks' => array(
	'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
	'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
	'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
	'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
	'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
    ),
);


Permissions

#Restrict permissions
$wgGroupPermissions['user']['move']                = false;
$wgGroupPermissions['user']['upload']              = false;
$wgGroupPermissions['user']['purge']               = false;
$wgGroupPermissions['user']['SpecialPages']        = false;
$wgGroupPermissions['bureaucrat']['move']          = true;
$wgGroupPermissions['bureaucrat']['upload']        = true;
$wgGroupPermissions['bureaucrat']['purge']         = true;
$wgGroupPermissions['bureaucrat']['SpecialPages']  = true;


Proxy

#Use proxy
#$wgHTTPProxy = 192.168.1.1:3128 # if mediawiki needs proxy for internet access


Reverse proxy settings

Edit /etc/httpd/conf/httpd.conf and /etc/httpd/conf.d/ssl.conf to log "%{X-Forwareded-For}i"

#Reverse proxy
$wgUseSquid = true;
$wgSquidServers = array ( '192.168.1.1'); # Purge pages in cache after update
#$wgSquidServersNoPurge = array ( '192.168.1.1'); # don't purge pages in cache after update


Revisions

  1. Revisions
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;


SMTP

This configuration enables the use of a different SMTP host. First install php-pear-mail with "yum -y install php-pear-Mail".

#SMTP
$wgSMTP = array(
 'host'     => "192.168.1.1",
 'IDHost'   => "example.com",
 'port'     => 25,
 'auth'     => false,
);


SPAM

#Block postings with the following words
$wgSpamRegex = "/".
                "s-e-x|zoofilia|sexyongpin|grusskarte|geburtstagskarten|animalsex|".
                "sex-with|dogsex|adultchat|adultlive|camsex|sexcam|livesex|sexchat|".
                "chatsex|onlinesex|adultporn|adultvideo|adultweb.|hardcoresex|hardcoreporn|".
                "teenporn|xxxporn|lesbiansex|livegirl|livenude|livesex|livevideo|camgirl|".
                "spycam|voyeursex|casino-online|online-casino|kontaktlinsen|cheapest-phone|".
                "laser-eye|eye-laser|fuelcellmarket|lasikclinic|cragrats|parishilton|".
                "paris-hilton|paris-tape|2large|fuel-dispenser|fueling-dispenser|huojia|".
                "jinxinghj|telematicsone|telematiksone|a-mortgage|diamondabrasives|".
                "reuterbrook|sex-plugin|sex-zone|lazy-stars|eblja|liuhecai|".
                "buy-viagra|-cialis|-levitra|boy-and-girl-kissing|".
                "dirare\.com|adipex|phentermine|adult-website\.com|".
                "overflow\s*:\s*auto|".
                "height\s*:\s*[0-4]px|".
                "==<center>\[|".
                "\<\s*a\s*href|".
                "display\s*:\s*none". 
                "/i";
$wgSummarySpamRegex = "/".
                "s-e-x|zoofilia|sexyongpin|grusskarte|geburtstagskarten|animalsex|".
                "sex-with|dogsex|adultchat|adultlive|camsex|sexcam|livesex|sexchat|".
                "chatsex|onlinesex|adultporn|adultvideo|adultweb.|hardcoresex|hardcoreporn|".
                "teenporn|xxxporn|lesbiansex|livegirl|livenude|livesex|livevideo|camgirl|".
                "spycam|voyeursex|casino-online|online-casino|kontaktlinsen|cheapest-phone|".
                "laser-eye|eye-laser|fuelcellmarket|lasikclinic|cragrats|parishilton|".
                "paris-hilton|paris-tape|2large|fuel-dispenser|fueling-dispenser|huojia|".
                "jinxinghj|telematicsone|telematiksone|a-mortgage|diamondabrasives|".
                "reuterbrook|sex-plugin|sex-zone|lazy-stars|eblja|liuhecai|".
                "buy-viagra|-cialis|-levitra|boy-and-girl-kissing|".
                "dirare\.com|adipex|phentermine|adult-website\.com|".
                "overflow\s*:\s*auto|".
                "height\s*:\s*[0-4]px|".
                "==<center>\[|".
                "\<\s*a\s*href|".
                "display\s*:\s*none".
                "/i";


UserMerge

See https://www.mediawiki.org/wiki/Extension:UserMerge for download and installation details.

#Add extension "UserMerge"
wfLoadExtension( 'UserMerge' );
$wgGroupPermissions['sysop']['usermerge'] = true;


Moderation

See https://www.mediawiki.org/wiki/Extension:Moderation for download and installation details. This

#Moderation (to be placed at the bottom of LocalSettings.php)
require_once "$IP/extensions/Moderation/Moderation.php";
$wgGroupPermissions['sysop']['moderation'] = true; # Allow sysops to use Special:Moderation
$wgGroupPermissions['sysop']['skip-moderation'] = true; # Allow sysops to skip moderation
$wgGroupPermissions['bot']['skip-moderation'] = true; # Allow bots to skip moderation
$wgGroupPermissions['bureaucrat']['skip-moderation'] = true; # Allow bureaucrat to skip moderation
#$wgGroupPermissions['checkuser']['moderation-checkuser'] = false; # Don't let checkusers see IPs on Special:Moderation
$wgAddGroups['sysop'][] = 'automoderated'; # Allow sysops to assign "automoderated" flag
$wgRemoveGroups['sysop'][] = 'automoderated'; # Allow sysops to remove "automoderated" flag
$wgLogRestrictions["newusers"] = 'moderation';


Security

Now we need to secure the Mediawiki installation.

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_builtin_scripting 1
setsebool -P httpd_execmem 1 # in the long run we want to avoid this
chown -R root:apache /var/www/html/
find /var/www/html/w -type d -exec chmod 750 {} \;
find /var/www/html/w -type f -exec chmod 640 {} \;
chown -R apache:apache /var/www/html/w/images
chown -R apache:apache /var/www/html/w/cache
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/cache(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/images(/.*)?"
restorecon -R /var/www/html/w
cd /var/log/audit
grep hugetlbfs audit.log | audit2allow -M hugetlbfs
semodule -i hugetlbfs.pp


Backup

Dump Mediawiki pages

cd /var/www/html/w/maintenance/
php dumpBackup.php --full > dump.xml


Restore

Restore Mediawiki dump

cd /var/www/html/w/maintenance/
php importDump.php < dump.xml


Special pages

Special:Export

Special:Import

Special:AllPages

Special:Moderation

Special:RecentChanges

MediaWiki:Sidebar


Links

http://concise.wiki/index.php?title=MediaWiki_-_howto&section=5

https://www.mediawiki.org/wiki/Manual:Configuration_settings