Nginx/MediaWiki: Difference between revisions
Antonizoon (talk | contribs) |
Antonizoon (talk | contribs) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== PHP-FPM Nginx Config == | {{Note|These Nginx configs are written without HTTPS for simplicity, but you should be [https://letsencrypt.org/getting-started/ using SSL certificates from LetsEncrypt.] They're free!}} | ||
The Web Server sends and receives data over the HTTP protocol. In the case of MediaWiki, the web server serves HTML pages to a user’s web browser. We’ve chosen Nginx instead of Apache for it’s greater effectiveness with serving and caching static HTML. | |||
== Installing Nginx == | |||
Follow one of these guides to install Nginx for your Linux Distribution. | |||
* Debian 8: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-8 | |||
* Ubuntu 16.04 LTS: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 | |||
* RHEL/CentOS 7: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7 | |||
== HHVM == | |||
If you are using [[PHP/HHVM|HHVM]] as your PHP Engine, use these Nginx Configs. | |||
== PHP-FPM == | |||
If you are using PHP-FPM as your PHP Engine, use these Nginx Configs. | |||
=== PHP-FPM Nginx Config === | |||
To make it easy to switch all our present or future PHP apps between TCP ports and UNIX sockets, we use a specific `php-fpm.conf` file which can be called with {{ic|fastcgi_pass php-fpm;}}. Create this file: | To make it easy to switch all our present or future PHP apps between TCP ports and UNIX sockets, we use a specific `php-fpm.conf` file which can be called with {{ic|fastcgi_pass php-fpm;}}. Create this file: | ||
Line 9: | Line 29: | ||
upstream php-fpm { | upstream php-fpm { | ||
#server 127.0.0.1:9000; | #server 127.0.0.1:9000; | ||
server unix:/var/run/php5-fpm.sock; | server unix:/var/run/php7.0-fpm.sock; # use this if you have php7.0-fpm | ||
#server unix:/var/run/php5-fpm.sock; # use this if you have php5-fpm | |||
} | } | ||
</nowiki>}} | </nowiki>}} | ||
== MediaWiki Nginx Config == | === MediaWiki Nginx Config === | ||
This is the Nginx Config that we use when when setting up MediaWiki for the first time over conventional HTTP, with PHP-FPM: | This is the Nginx Config that we use when when setting up MediaWiki for the first time over conventional HTTP, with PHP-FPM: | ||
Line 127: | Line 148: | ||
== Serving MediaWiki images with Nginx == | == Serving MediaWiki images with Nginx == | ||
Nginx can be optimized to make image serving more efficient, and block hotlinking. Since the settings for static images often differ greatly from that of dynamic text, it is recommended that you create a specific subdomain just for images (such as <code>img.bibanon.org</code>) and serve your image folder from there. | |||
Here is the Nginx config we used (without SSL) to serve our image folder: | |||
{{hc|/etc/nginx/conf.d/img.bibanon.org.conf|<nowiki> | |||
server { | |||
listen 80; | |||
server_name img.bibanon.org; | |||
# nginx caching, expires in 1M | |||
expires 1M; | |||
access_log off; | |||
add_header Cache-Control "public"; | |||
# images stored here | |||
root /var/www/mediawiki/images; | |||
# let's encrypt SSL dir | |||
location ~ /\.well-known { | |||
root /var/lib/letsencrypt; | |||
} | |||
location ^~ / { | |||
try_files $uri =404; | |||
} | |||
location ^~ /thumb/ { | |||
try_files $uri =404; | |||
} | |||
# block unnecessary access | |||
location ^~ /lockdir/ { deny all; } | |||
location ^~ /temp/ { deny all; } | |||
location ^~ /archive/ { deny all; } | |||
# block image hotlinking, but not from search engines | |||
valid_referers none blocked bibanon.org *.bibanon.org ~.google. ~.bing. ~.yahoo.; | |||
if ($invalid_referer) { | |||
return 403; # you can alternatively link to an small unsavory picture to be a douche, though it still takes a little bandwidth | |||
} | |||
} | |||
</nowiki>}} | |||
After setting this up, just add this line to LocalSettings: | |||
{{hc|/var/www/mediawiki/LocalSettings.php|<nowiki> | |||
$wgUploadBaseUrl = 'https://img.bibanon.org'; | |||
</nowiki>}} | |||
https://serversforhackers.com/nginx-caching |
Latest revision as of 21:57, 10 April 2017
The Web Server sends and receives data over the HTTP protocol. In the case of MediaWiki, the web server serves HTML pages to a user’s web browser. We’ve chosen Nginx instead of Apache for it’s greater effectiveness with serving and caching static HTML.
Installing Nginx[edit]
Follow one of these guides to install Nginx for your Linux Distribution.
- Debian 8: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-8
- Ubuntu 16.04 LTS: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04
- RHEL/CentOS 7: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
HHVM[edit]
If you are using HHVM as your PHP Engine, use these Nginx Configs.
PHP-FPM[edit]
If you are using PHP-FPM as your PHP Engine, use these Nginx Configs.
PHP-FPM Nginx Config[edit]
To make it easy to switch all our present or future PHP apps between TCP ports and UNIX sockets, we use a specific `php-fpm.conf` file which can be called with fastcgi_pass php-fpm;
. Create this file:
/etc/nginx/conf.d/php-fpm.conf
# PHP-FPM FastCGI server # network or unix domain socket configuration upstream php-fpm { #server 127.0.0.1:9000; server unix:/var/run/php7.0-fpm.sock; # use this if you have php7.0-fpm #server unix:/var/run/php5-fpm.sock; # use this if you have php5-fpm }
MediaWiki Nginx Config[edit]
This is the Nginx Config that we use when when setting up MediaWiki for the first time over conventional HTTP, with PHP-FPM:
- Path to Mediawiki installation:
/var/www/mediawiki/
/etc/nginx/conf.d/wiki.bibanon.org.conf
server { listen 80; server_name wiki.bibanon.org; root /var/www/mediawiki; client_max_body_size 8m; # let's encrypt SSL dir location ~ /\.well-known { root /var/lib/letsencrypt; } access_log /var/log/nginx/wiki.bibanon.org.log; error_log /var/log/nginx/wiki.bibanon.org.error.log; # Common deny, drop, or internal locations # Exclude all access from the cache directory location ^~ /cache/ { deny all; } # Prevent access to any files starting with a dot, like .htaccess # or text editor temp files location ~ /\. { access_log off; log_not_found off; deny all; } # Prevent access to any files starting with a $ (usually temp files) location ~ ~$ { access_log off; log_not_found off; deny all; } # Do not log access to robots.txt, to keep the logs cleaner location = /robots.txt { access_log off; log_not_found off; } # Do not log access to the favicon, to keep the logs cleaner location = /favicon.ico { access_log off; log_not_found off; } # Keep images and CSS around in browser cache for as long as possible, # to cut down on server load location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { try_files $uri /index.php; expires max; log_not_found off; } # Mark all of these directories as "internal", which means that they cannot # be explicitly accessed by clients. However, the web server can still use # and serve the files inside of them. This keeps people from poking around # in the wiki's internals. location ^~ /bin/ { internal; } location ^~ /docs/ { internal; } location ^~ /extensions/ { internal; } location ^~ /includes/ { internal; } location ^~ /maintenance/ { internal; } # location ^~ /mw-config/ { internal; } #Uncomment after installation location ^~ /resources/ { internal; } location ^~ /serialized/ { internal; } location ^~ /tests/ { internal; } # Serve the wiki toolbar data out of /resources/assets/ location ^~ /resources/assets/ { } location ^~ /extensions/WikiEditor/modules/images/ { } # Serve bootstrap-mediawiki theme assets # location ^~ /skins/bootstrap-mediawiki/bootstrap { # try_files $uri $uri/; # } # location ^~ /skins/bootstrap-mediawiki/google-code-prettify { # try_files $uri $uri/; # } # location ^~ /skins/bootstrap-mediawiki/js { # try_files $uri $uri/; # } # location ^~ /skins/bootstrap-mediawiki/font-awesome { # try_files $uri $uri/; # default_type text/plain; # } # Redirect all requests for unknown URLs out of images and back to the # root index.php file location ^~ /images/ { try_files $uri /index.php; } # Uncomment after installation! # location / { # index index.php; # rewrite ^/([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last; # } location ~ \.php?$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php-fpm; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } }
After setting up MediaWiki, make sure to uncomment the location / {
block to allow index.php to be used, and the location ^~ /mw-config/ { internal; }
line to disable access to the installation directory.
Also consider setting up an SSL certificate with this Nginx config.
Serving MediaWiki images with Nginx[edit]
Nginx can be optimized to make image serving more efficient, and block hotlinking. Since the settings for static images often differ greatly from that of dynamic text, it is recommended that you create a specific subdomain just for images (such as img.bibanon.org
) and serve your image folder from there.
Here is the Nginx config we used (without SSL) to serve our image folder:
/etc/nginx/conf.d/img.bibanon.org.conf
server { listen 80; server_name img.bibanon.org; # nginx caching, expires in 1M expires 1M; access_log off; add_header Cache-Control "public"; # images stored here root /var/www/mediawiki/images; # let's encrypt SSL dir location ~ /\.well-known { root /var/lib/letsencrypt; } location ^~ / { try_files $uri =404; } location ^~ /thumb/ { try_files $uri =404; } # block unnecessary access location ^~ /lockdir/ { deny all; } location ^~ /temp/ { deny all; } location ^~ /archive/ { deny all; } # block image hotlinking, but not from search engines valid_referers none blocked bibanon.org *.bibanon.org ~.google. ~.bing. ~.yahoo.; if ($invalid_referer) { return 403; # you can alternatively link to an small unsavory picture to be a douche, though it still takes a little bandwidth } }
After setting this up, just add this line to LocalSettings:
/var/www/mediawiki/LocalSettings.php
$wgUploadBaseUrl = 'https://img.bibanon.org';