About FreeBSD

Moving Mediawiki to nginx (obsolete)

See revised article.

In a previous article we described the migration of this WordPress site from Apache to Nginx. This article describes a similar task involving a private MediaWiki site.

Since 2022, this site has moved from WordPress to AsciiDoc. This article is about the old website.

The front-end is an internet-facing reverse-proxy enforcing SSL with client certificates. The back-end is implemented with Nginx and php-fpm. Both ends run inside jails on FreeBSD servers.

This article focuses on the back-end configuration, the Nginx instance that serves static content from the MediaWiki installation at /usr/local/www/mediawiki/ and forwards PHP requests to the php-fpm service listening on port 9000.

Installation

The packages are installed using:

# pkg install www/nginx
# pkg install www/mediawiki125

Add these lines to /etc/rc.conf:

nginx_enable="YES"
php_fpm_enable="YES"

Nginx Configuration

In /usr/local/etc/nginx/nginx.conf:

events { }

http {
Ψinclude      mime.types;
Ψdefault_type application/octet-stream;
Ψroot         /var/empty;
Ψsendfile     on;
Ψtcp_nodelay  on;
Ψtcp_nopush   on;

Ψupstream php { server 127.0.0.1:9000; }

Ψmap $http_x_forwarded_proto $https_flag {
ΨΨdefault off;
ΨΨhttps   on;
Ψ}

Ψserver {
ΨΨlisten 80;

ΨΨlocation /wiki/ {
ΨΨΨrewrite ^ /mediawiki/index.php;
ΨΨ}
ΨΨlocation /w/ {
ΨΨΨrewrite ^/w(.*)$ /mediawiki$1;
ΨΨ}
ΨΨlocation /mediawiki/ {
ΨΨΨroot /usr/local/www;

ΨΨΨlocation ^~ /mediawiki/cache/ { return 404; }
ΨΨΨlocation ^~ /mediawiki/includes/ { return 404; }
ΨΨΨlocation ^~ /mediawiki/languages/ { return 404; }
ΨΨΨlocation ^~ /mediawiki/maintenance/ { return 404; }
ΨΨΨlocation ^~ /mediawiki/serialized/ { return 404; }
ΨΨΨlocation ^~ /mediawiki/tests/ { return 404; }

ΨΨΨlocation ^~ /mediawiki/images/ { expires 30d; }
ΨΨΨlocation ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 30d; }

ΨΨΨlocation ~ \.php$ {
ΨΨΨΨtry_files $uri =404;
ΨΨΨΨinclude       fastcgi_params;
ΨΨΨΨfastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
ΨΨΨΨfastcgi_param HTTPS $https_flag;
ΨΨΨΨfastcgi_pass  php;
ΨΨΨ}
ΨΨ}
Ψ}
}

We use /wiki/ as a prefix for article names and /w/ as a prefix for the installation root.

The front-end terminates any client SSL connections, the presence of which is conveyed to MediaWiki using the $https_flag trick above.

Nginx and php-fpm run within the same jail, with both services listening on the jail’s assigned IP address. 127.0.0.1 is used above for illustrative purposes only, which is valid for a non-jailed environment.

php-fpmConfiguration

Copy /usr/local/etc/php-fpm.conf.default to /usr/local/etc/php-fpm.conf and change the listen directive to the IP address assigned to the jail (if applicable).

MediaWiki Configuration

Much of the MediaWiki configuration is placed in the /usr/local/www/mediawiki/LocalSettings.php and it is mostly beyond the scope of this article. Elements of the configuration relevant to this article are:

Setting the URI prefix for article names and the installation root:

$wgScriptPath  = "/w";
$wgArticlePath = "/wiki/$1";

Allow the front-end reverse-proxy to be trusted to terminate the client’s SSL connection:

$wgUsePrivateIPs = true;
$wgSquidServersNoPurge = array( ’10.0.0.1’ );

where 10.0.0.1 is the internal IP address of the front-end reverse-proxy.

References