Ubuntu 22.04 Host Your Own Mediawiki Online - LXC Ubuntu Container
| Please Select a Licence from the LICENCE_HEADERS page |
And place at top of your page |
If no Licence is Selected/Appended, Default will be CC0 Default Licence IF there is no Licence placed below this notice!
When you edit this page, you agree to release your contribution under the CC0 Licence |
Installing MediaWiki on a container and exporting to the cloud. Local OS used Ubuntu-Mate 20.04 Tested with ethernet. Untested with wifi.
TODO's
- Remove 'index.php' from URL
- Find out more about 'DocBookExport' and test how it works
- Move MediaWiki Server to FreeBSD
Currently trying to solve the spambot problem, they got round the need to request to open an account somehow, will update once solved.
$EDITOR is used as a place holder for an editor of your choice.
Installing LXD
sudo snap install lxd
lxd init
Selecting all defaults, apart from "Size in GB of the new loop device (1GB minimum) [default=6GB]:" increasing to 30GB:
lxd init selected options:
Create Ubuntu:22.04 Container for MediaWiki
lxc launch ubuntu:22.04 mediawiki
lxc list
+-----------+---------+--------------------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+--------------------+------+-----------+-----------+ | mediawiki | RUNNING | 10.194.171.251(eth0) | | CONTAINER | 0 | +-----------+---------+--------------------+------+-----------+-----------+
Login to Container
lxc exec mediawiki bash
Basic Firewall UFW for Container
NOTE:Add Link to a UFW page for more info
Blocking IPv6
$EDITOR /etc/default/ufw
Change the line
IPV6=yes
To
IPV6=no
Save and Exit
Allow port 80
ufw allow 80/tcp
Allow port 443
ufw allow 443/tcp
Start/Enable UFW firewall
ufw enable
Check UFW status
ufw status
If you Entered wrong port number and would like to change/delete rule:
Update system
apt update && apt upgrade -y
ssmtp setup
NOTE: need link to ssmtp page - showing how to use other email providers that allow smtp
Link to ssmtp wiki page
You can use a number of email providers for sending emails from server using ssmtp.
I am going to use smtp2go.com they do provide a free service if you wish to try.
smtp2go details:
ssmtp
apt install ssmtp -y
$EDITOR /etc/ssmtp/ssmtp.conf
mailhub=mail.smtp2go.com:587 AuthUser=noobwiki AuthPass=N0tTelinu UseSTARTTLS=YES FromLineOverride=YES hostname=completenoobs.com
Why use hostname=completenoobs.com
Do not use user@smtp2go.com as the sender address! you need an email address that has an MX record(mail exchanger record) at its domain name.
$EDITOR /etc/ssmtp/revaliases
root:admin@completenoobs.com:mail.smtp2go.com:587
usermod
usermod can be used to change the email senders name/address.
Instead of your mail coming from 'root' or 'ubuntu' or any other user account.
usermod -c "emailSenderName" <account_sending>
usermod -c "completenoobslxc" root
Send Test eMail
Create a file and add subject header and some content.
$EDITOR test-mail.txt
Subject:test email Hello You.
Save and Exit
Now send the email:
sendmail email@address2receive.mail < test-mail.txt
Don't forget to check your spam folder if you don't see email
Once tested and email sent, you can delete test-mail.txt.
rm test-mail.txt
sendmail notes
If the sendmail command locks your terminal and CTRL+c does not work
sendmail in verbose mode for more details:
Check mail logs for errors:
auto update container config
$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment
// "${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-updates";
Dont need auto reboot on container - no kernel - kernel shared with host.
email on update
$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades
Add email address to send email to:
//Unattended-Upgrade::Mail "";
Unattended-Upgrade::Mail "email@tosendto.com";
We are going to test are send mail, so for now change MailReport to "always"
//Unattended-Upgrade::MailReport "on-change";
Unattended-Upgrade::MailReport "always";
Once i needed 'apticron' to get emails working with unattended upgrades:
Test with debug flag -d
unattended-upgrade -d
Once email alerts from auto updates has been tested and working, change MailReport back from 'always' to 'on-change', unless you want to be emailed at every update.
Install MediaWiki
apt install apache2 mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y
wget https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.2.tar.gz
tar -xvf mediawiki-1.39.2.tar.gz
mv mediawiki-1.39.2 /var/www/html/mediawiki
Create Database
Will be prompted to set a root password!
mysql -u root -p
CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';
CREATE DATABASE mywiki_database;
use mywiki_database;
GRANT ALL ON mywiki_database.* TO 'green'@'localhost';
quit;
Make note of your: database name, username, userpassword
Create self-signed https certs
openssl req -x509 -newkey rsa:4096 -keyout key.pem -nodes -out cert.pem -days 365
Note: can leave blank; just press enter.
mv cert.pem /etc/ssl/certs/cn-selfsigned.crt
mv key.pem /etc/ssl/private/cn-selfsigned.key
Create ssl-params.conf
$EDITOR /etc/apache2/conf-available/ssl-params.conf
Remember to turn stapling on after letsencrypt cert
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off # May want to turn stapling off when using self-signed to avoid receiving errors in log SSLUseStapling off SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
Create Apache2 config
cd /etc/apache2/sites-available/
rm 000-default.conf default-ssl.conf
$EDITOR /etc/apache2/sites-available/completenoobs.com.conf
<VirtualHost *:80>
ServerName completenoobs.com
ServerAdmin admin@
# Redirect Requests to SSL
Redirect permanent "/" "https://IPADDRESS"
ErrorLog ${APACHE_LOG_DIR}/completenoobs.com.error.log
CustomLog ${APACHE_LOG_DIR}/completenoobs.com.access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName completenoobs.com
ServerAdmin admin@completenoobs.com
DocumentRoot /var/www/html/mediawiki
# According MWiki Manual:Security
php_flag register_globals off
ErrorLog ${APACHE_LOG_DIR}/completenoobs.com.error.log
CustomLog ${APACHE_LOG_DIR}/completenoobs.com.access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cn-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/cn-selfsigned.key
# need to find out what SSLCertificateChainFile is? explain is in the default-ssl.conf file.
#SSLCertificateChainFile /etc/ssl/certs/example.com.root-bundle.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Directory /var/www/html/wikimedia>
Options None FollowSymLinks
#Allow .htaccess
AllowOverride All
Require all granted
<IfModule security2_module>
SecRuleEngine Off
# or disable only problematic rules
</IfModule>
</Directory>
# According to MWiki Manual:Security
<Directory /var/www/html/wikimedia/images>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
# If you've other scripting languages, disable them too.
</Directory>
#According to MWiki Manual:Security
<Directory /var/www/html/wikimedia/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
</VirtualHost>
</IfModule>
Reload Apache2
a2enmod ssl
a2enmod headers
a2ensite completenoobs.com
a2enconf ssl-params
apache2ctl configtest
systemctl restart apache2
MediaWiki Basic Setup
Landing page
Open a web browser and go to your containers private ip address (you can get ip address by running lxc list on host).
Are certs are self-signed and you may/will get warning "your connection is not private"
Click "Advance" and "Proceed to 10.194.171.251 (unsafe)"
You will now find yourself on the mediawiki setup landing page.
MediaWiki 1.35.0
LocalSettings.php not found.
Please set up the wiki first.
Click set up the wiki to be taken to the "mw-config/index.php" page.
Basic Configure MediaWiki
Language Page
Welcome to MediaWiki!
Connect to database - going to need the details from when you created the database.
Database Settings
Name
Options
LocalSettings.php Launch Wiki
When the Basic configuration of mediawiki is done on the webpage.
You will have a LocalSettings.php which will be downloaded from your browser.
You need to place the LocalSettings.php file into your containers /var/www/html/mediawiki/ directory.
You can do this from host using the lxc file push command.
lxc file push /home/$USER/Downloads/LocalSettings.php mediawiki/var/www/html/mediawiki/
Do not refresh browser it will download the LocalSettings.php again! go to the IP address of your container or just trim the mw-config/index.php?page=Complete
Now on your browser visit the page again https://10.194.171.251
And welcome to your wiki.
Change Logo
You need a 135px by 135px image, in this example its named 'completenoobs-logo.png'
lxc file push completenoobs-logo.png mediawiki/var/www/html/mediawiki/resources/assets/
Back in container edit the LocalSettings.php file
## The URL paths to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
];
Change to your new logo:
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
'icon' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
];
Email Config
Warning i did get loads of spam bots, using this to send naughty emails everywhere!
Changed setting to block signups, requests only,and changed $wgEnableUserEmail to false and still the bots managed to send spam using my smtp account.
How they done this? Is beyond my understanding and i removed email from the wiki till i have more info on how to stop the spamming.
Was using mediawiki-1.35.0
$EDITOR /var/www/html/mediawiki/LocalSettings.php
Make sure $wgEnableEmail is set to true.
$wgEnableEmail = true;
https://www.mediawiki.org/wiki/Manual:$wgEnableEmail
$wgEmergencyContact = ""; $wgPasswordSender = "";
$wgEmergencyContact = "admin@completenoobs.com"; $wgPasswordSender = "admin@completenoobs.com";
$wgSMTP = [
'host' => 'ssl://mail.smtp2go.com', // outbox server of the email account
'IDHost' => 'completenoobs.com',
'port' => 465,
'username' => 'noobwiki', // user of the email account
'password' => 'N0tTelinu', // app password of the email account
'auth' => true
];
Request Account and Confirm Email to edit
In LocalSettings change $wgEmailAuthentication = false; to true
https://www.mediawiki.org/wiki/Manual:$wgEmailAuthentication
https://www.mediawiki.org/wiki/Extension:ConfirmAccount
wget https://extdist.wmflabs.org/dist/extensions/ConfirmAccount-REL1_39-2b96e90.tar.gz
tar xzf ConfirmAccount-REL1_39-2b96e90.tar.gz -C /var/www/html/mediawiki/extensions/
In LocalSettings.php
set $wgEmailAuthentication to true.
wfLoadExtension( 'ConfirmAccount' ); $wgConfirmAccountContact = 'admin@completenoobs.com';
Run maintenance update
php /var/www/html/mediawiki/maintenance/update.php
use Special:ConfirmAccounts to see if anyone requested a account.
And yep, your gonna get spammed! Bots love a wiki.
CookieWarning Extension
https://www.mediawiki.org/wiki/Extension:CookieWarning
wget https://extdist.wmflabs.org/dist/extensions/CookieWarning-REL1_39-778fe72.tar.gz
tar -xzf CookieWarning-REL1_39-778fe72.tar.gz -C /var/www/html/mediawiki/extensions/
In LocalSettings.php add:
wfLoadExtension( 'CookieWarning' ); $wgCookieWarningEnabled = 'true'; # $wgCookieWarningMoreUrl allows to to select a link for your moreinfo button $wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link'; $wgCookieWarningEnabled = 'true';
To change message sign in with admin account and visit these pages of your wiki and edit.
MediaWiki:Cookiewarning-info Edit the display message.
https://10.194.171.251/index.php/MediaWiki:Cookiewarning-info
MediaWiki:Cookiewarning-moreinfo-label
Edit and change display of the moreinfo button: link can be made/changed at LocalSettings with:
$wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link'
https://10.194.171.251/index.php/MediaWiki:Cookiewarning-moreinfo-label
MediaWiki:Cookiewarning-ok-label Edit and change the text on the OK button.
https://10.194.171.251/index.php/MediaWiki:Cookiewarning-ok-label
Contribution Scores Extension
https://www.mediawiki.org/wiki/Extension:Contribution_Scores
wget https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_39-0e7e99d.tar.gz
tar -xzf ContributionScores-REL1_39-0e7e99d.tar.gz -C /var/www/html/mediawiki/extensions
In LocalSettings.php add:
wfLoadExtension( 'ContributionScores' );
// Exclude Bots from the reporting - Can be omitted.
$wgContribScoreIgnoreBots = true;
// Exclude Blocked Users from the reporting - Can be omitted.
$wgContribScoreIgnoreBlockedUsers = true;
// Use real user names when available - Can be omitted. Only for MediaWiki 1.19 and later.
$wgContribScoresUseRealName = true;
// Set to true to disable cache for parser function and inclusion of table.
$wgContribScoreDisableCache = false;
// Each array defines a report - 7,50 is "past 7 days" and "LIMIT 50" - Can be omitted.
$wgContribScoreReports = [
[ 7, 50 ],
[ 30, 50 ],
[ 0, 50 ]
];
Add to Main Landing Page:
{{Special:ContributionScores/10/5}}
Place Notice at top of every new page created
Using the PageNotice Extension.
https://www.mediawiki.org/wiki/Extension:PageNotice#Configuration
Download PageNotice and extract to extensions directory.
in LocalSettings.php add the lines:
wfLoadExtension( 'PageNotice' ); $wgPageNoticeDisablePerPageNotices = 'true';
To have message in every name space go to your wiki's page
index.php/mediawiki:top-notice-ns-0
Only admin account can edit this page:
What you place in this page will be displayed at the top of every page created.
Privacy Policy
Holly $#$#$ this is a lot of work, looking into it
https://www.mediawiki.org/wiki/GDPR_(General_Data_Protection_Regulation)_and_MediaWiki_software
NewSignupPage
https://www.mediawiki.org/wiki/Extension:NewSignupPage
Big thanks to Shoutwiki.com or this would of been a very big pain.
Check for Latest link from the Download page https://www.mediawiki.org/wiki/Special:ExtensionDistributor/NewSignupPage
In mediawiki container:
wget https://extdist.wmflabs.org/dist/extensions/NewSignupPage-REL1_35-ecf00aa.tar.gz
tar xvf NewSignupPage-REL1_35-ecf00aa.tar.gz -C /var/www/html/mediawiki/extensions/
$EDITOR /var/www/html/mediawiki/LocalSettings.php
Add the Line:
wfLoadExtension( 'NewSignupPage' );
Change the Info given at signup at:
index.php/MediaWiki:Newsignuppage-loginform-tos
Default page will be:
I am over 13 years of age and I have read, understood and agree to be bound by the Terms of Service and Privacy Policy
"Terms of Service" and "Privacy Policy" are linked to there pages, so we need to create a few pages.
Need Privacy Policy Page
Create a 'Privacy_Policy' page and link on "MediaWiki:Newsignuppage-loginform-tos"
[[CompleteNoobs:Privacy_policy | Privacy Policy]]
Need Terms Of Service page
https://www.completenoobs.com/index.php/Terms_of_Service
once done change link on "MediaWiki:Newsignuppage-loginform-tos"
Content Policy Page
https://10.194.171.251/index.php/Content_Policy
Contains link to https://www.completenoobs.com/index.php/CompleteNoobs_Staff_Admins
Staff and Admin Page
https://10.194.171.251/index.php/CompleteNoobs_Staff_Admins
Linked from Content Policy Page! a place to contact by email staff, admins
General Disclaimer page
https://10.194.171.251/index.php/CompleteNoobs:General_disclaimer
This page shows/linked at bottom of wiki
Copyright Policy
https://10.194.171.251/index.php/CompleteNoobs:Copyrights
Copyrights page that shows in info box when making a post.
Fail2Ban
This Will Ban an IP who incorrectly enters wrong login details, a (you can select) amount of times for a (you can select) amount of time.
Fail2Log Extension
https://www.mediawiki.org/wiki/Extension:Fail2Log
Create Log file
Could not get PHP to create and set permissions for log file:
So for now doing manually!
touch /var/log/Fail2Log.log
chown www-data:www-data /var/log/Fail2Log.log
chmod 0755 /var/log/Fail2Log.log
Failed login's with wrong user name and/or password should now be logged in:/var/log/Fail2Log.log
Log Format:
Failed:<IP_ADDRESS> <DATE>
Download and install extension
wget https://github.com/greenhatmonkey/Fail2Log/blob/main/Fail2Log.tar.gz?raw=true
tar xzvf Fail2Log.tar.gz?raw=true -C /var/www/html/mediawiki/extensions/
Add to your LocalSettings.php
wfLoadExtension( 'Fail2Log' ); $wgFail2LogFile = '/var/log/Fail2Log.log';
Install and Setup Fail2Ban
Fail2Ban works in a container. If using fail2ban on Host for container:
Just include log path: /var/snap/lxd/common/mntns/var/snap/lxd/common/lxd/storage-pools/default/containers/<CONTAINER_NAME>/rootfs/var/log/Fail2Log.log
apt install fail2ban
- Fail2ban will use file.local over file.conf if file.local exists:
- file.conf can be written over if file2ban gets updated.
- Make a file.local of the file you are working on.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$EDITOR /etc/fail2ban/jail.local
Default /etc/fail2ban/jail.conf file: Expand to view
Default /etc/fail2ban/jail.local file with (almost all) comments removed:
/etc/fail2ban/jail.local with (almost) comments removed:[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignorecommand =
bantime = 10m
findtime = 10m
maxretry = 5
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
#
# ACTIONS
#
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Disconnect/kick and ban an ip from list
Just below we are going to append these lines to /etc/fail2ban/jail.local
# Reject/Disconnect Connections that failed username password _action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp] actionx = %(_action_tcp_udp)s
Before Changes:
After Changes:
Jail for MediaWiki - /etc/fail2ban/jail.local
[mediawiki] enabled = true filter = mediawiki action = iptables-allports bantime = 1m maxretry = 2 logpath = /var/log/Fail2Log.log
Before:
After:
Filter for mediawiki
Regex quick up and running tutorial: External Link:(youtube)
$EDITOR /etc/fail2ban/filter.d/mediawiki.conf
[Definition] failregex = ^Failed:<HOST> ignoreregex =
Try out regex on log file
fail2ban-regex --print-all-matched /var/log/Fail2Log.log /etc/fail2ban/filter.d/mediawiki.conf
Restart Fail2Ban
systemctl restart fail2ban
fail2ban-client status
fail2ban-client status mediawiki
Now test by trying to login to your wiki with wrong password three times.
fail2ban regex and error checking
Check regex:
Debug Fail2Ban:
Change ban time After testing
$EDITOR /etc/fail2ban/jail.local
[mediawiki] enabled = true filter = mediawiki action = iptables-allports bantime = 1h maxretry = 20 logpath = /var/log/Fail2Log.log
Unban IP's
Get list of Jails:
fail2ban-client status
See banned ips by that jail:
fail2ban-client status <jailname>
Unban IP from jail:
fail2ban-client set <jailname> unbanip <ip_address>
Log File:
/var/log/Fail2Log.log
Moving To VPS
Create ssh key pair on local host
ssh-keygen -t rsa -b 4096 -C "MYSERVER" -f ~/.ssh/serverkey
You will be prompted to Enter a passphase, you can just press Enter for no passphase.
You will now have a file called serverkey and serverkey.pub in your /home/$USER/.ssh directory.
Now lets setup are server and move public key to server.
BACKUP YOUR PRIVATE KEY TO USB STICK OR SOMETHING!
serverkey.pubPUBLIC KEY
serverkeyPRIVATE KEY
Login to Server - ssh
Using Vultr i am going to deploy a Ubuntu 20.04 Server.
$10, 1 cpu, 2048MB ram, 55GB ssd, 2000GB Bandwidth.
I have been given the IP:192.248.145.129 and the Password:1R?o.gPasdaLz1w and with Vultr the default login/user is root
Lets move over the public key so we don't need a password to login:
ssh-copy-id -i ~/.ssh/serverkey root@192.248.145.129
Will be promted for server password, enter password: 1R?o.gPasdaLz1w
Now lets login with are private key.
ssh -i .ssh/serverkey root@192.248.145.129
Update Server
apt update && apt upgrade -y
The Server may need a restart, you will see this after updates if it does
*** System restart required ***
restart server and log back in after a minute.
reboot
Change default ssh port and disable plain text passwords
Log back into server
ssh -i .ssh/serverkey root@192.248.145.129
$EDITOR /etc/ssh/sshd_config
#Port 22
Port 7788
disable clear text passwords
#PasswordAuthentication yes
PasswordAuthentication no
restart sshd
systemctl restart sshd
Exit server and re-login
exit
Log back in with new port
ssh -p 7788 -i .ssh/serverkey root@192.248.145.129
Create ssh login shortcut:
Enable Basic FireWall
Block IPv6
$EDITOR /etc/default/ufw
Change the line
IPV6=yes
To
IPV6=no
Save and Exit
ufw allow 7788/tcp
ufw enable
Create Swap space on server
First check if you already have a swap space
First check if you already have a swap space
free -m
Returns:
total used free shared buff/cache available Mem: 1987 103 1655 2 228 1732 Swap: 0 0 0
Other methods to check swap space
Create SwapSpace
preallocate a 2 gigabyte space to be used for swap.
Note: you can name swapfile to anything you want.
fallocate -l 2G /swapfile
Initialize the /swapfile file with zeros - see "Working out the count size" to see how to work out the count size.
Working out the count size:
dd if=/dev/zero of=/swapfile bs=1024 count=2097152
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile Or swapon -a Or mount -a
append to /etc/fstab so its mounted after reboot.
$EDITOR /etc/fstab
And enter this in a new line at the bottom:
/swapfile swap swap defaults 0 0
and thats it, you can check swap with(or same other methods as above):
free -m
Returns:
total used free shared buff/cache available Mem: 1987 103 75 2 1808 1712 Swap: 2047 0 2047
ssmtp for email alerts
apt install ssmtp -y
$EDITOR /etc/ssmtp/ssmtp.conf
mailhub=mail.smtp2go.com:587 AuthUser=noobwiki AuthPass=N0tTelinu UseSTARTTLS=YES FromLineOverride=YES hostname=completenoobs.com
$EDITOR /etc/ssmtp/revaliases
root:admin@completenoobs.com:mail.smtp2go.com:587
usermod -c "CNWikiVPS" root
Send Test eMail
Create a file and add subject header and some content.
$EDITOR test-mail.txt
Subject:test email Hello You.
Save and Exit
Now send the email:
sendmail email@address2receive.mail < test-mail.txt
Don't forget to check your spam folder if you don't see email
Once tested and email sent, you can delete test-mail.txt.
rm test-mail.txt
auto update server
$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment (by removing // at start of line)and amend the lines we want:
// "${distro_id}:${distro_codename}-updates";
to
"${distro_id}:${distro_codename}-updates";
Add email address to send email to:
//Unattended-Upgrade::Mail "";
Unattended-Upgrade::Mail "email@tosendto.com";
We are going to test are send mail, so for now change MailReport to "always"
//Unattended-Upgrade::MailReport "on-change";
Unattended-Upgrade::MailReport "always";
// Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; // Automatically reboot even if there are users currently logged in // when Unattended-Upgrade::Automatic-Reboot is set to true //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" //Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70";
Changed to
// Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "true"; // Automatically reboot even if there are users currently logged in // when Unattended-Upgrade::Automatic-Reboot is set to true Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "04:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec Acquire::http::Dl-Limit "500";
Test with debug flag -d
unattended-upgrade -d
Once email alerts from auto updates has been tested and working, change MailReport back from 'always' to 'on-change', unless you want to be emailed at every update.
Send Container to server
From host
scp -i ~/.ssh/serverkey -P 7788 mediawiki.lxc root@192.248.145.129:/root/
If you created a ssh shortcut in .ssh/config you can use:
scp mediawiki.lxc mediawikiserver:/root/
Once container transferred to server checksum to confirm
Do on Local and Server
sha256sum mediawiki.lxc
The checksum should be the same on both!
LXD setup on server
Check if lxd already installed.
lxd --version
snap install lxd
Initialize LXD
lxd init
all defaults
Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]: Create a new ZFS pool? (yes/no) [default=yes]: Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=10GB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like the LXD server to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
Import Container
Note: If version of LXD on server is older than the one you are exporting from, you may see error Error: Failed importing backup: Failed creating instance record: Unknown configuration key: volatile.last_state.ready
To Fix this update your LXD
snap remove lxd
snap install lxd
lxd --version
lxd init
Import mediawiki container
lxc import mediawiki.lxc mediawiki
lxc list
lxc start mediawiki
lxc list
Returns:
+-----------+---------+-----------------------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-----------------------+------+-----------+-----------+ | mediawiki | RUNNING | 10.207.119.233 (eth0) | | CONTAINER | 0 | +-----------+---------+-----------------------+------+-----------+-----------+
Note the Change of IP
Are Containers IP is now:10.207.119.233
Now for some reason changing the IP on /var/www/html/mediawiki/LocalSettings.php and the /etc/apache2/sites-available/completenoobs.com.conf does not really work on a VPS (Forgot how i fixed this last time, pretty sure i got it workin a few years back).
You need a DNS name:
DNS
Domain Name System: An index that connects an ip address with a more human readable name(website name):
Like a phone book would index a persons name with a phone number.
If you have a domain name for your wiki, point it to your server's ip address.
This will be required for a letsencrypt cert also.
I am using namecheap.com and on the Advanced DNS Page
Add two Type A Records:
| Type | Host | Ip address | TTL |
| A record | @ | 192.248.145.129 | auto |
| A record | www | 192.248.145.129 | auto |
Change IP on config files
Login to conatiner and change IP's to Domain Name
lxc exec mediawiki bash
$EDITOR /etc/apache2/sites-available/completenoobs.com.conf
Redirect permanent "/" "https://10.3.45.233"
Redirect permanent "/" "https://www.completenoobs.com"
$EDITOR /var/www/html/mediawiki/LocalSettings.php
$wgServer = "https://10.3.45.233";
$wgServer = "https://www.completenoobs.com";
systemctl restart apache2
Use IPTables to forward traffic to container
iptable syntax
These commands to be done on host VPS and NOT in container!
Get out of container exit
Network interface=enp1s0
Find you network interface name:
VPS Global IP=192.248.145.129
Container IP=10.207.119.233
iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 443 -j DNAT --to-destination 10.207.119.233:443 -m comment --comment "forward real ip to container"
iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 80 -j DNAT --to-destination 10.207.119.233:80 -m comment --comment "forward real ip to container"
The new rules for your iptable will not persistent after a reboot.
Create systemd service to load firewall rules at startup:
$EDITOR /usr/local/bin/lxc-mediawiki-rules
#!/bin/bash iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 443 -j DNAT --to-destination 10.207.119.233:443 -m comment --comment "forward real ip to container" iptables -t nat -I PREROUTING -i enp1s0 -p TCP -d 192.248.145.129 --dport 80 -j DNAT --to-destination 10.207.119.233:80 -m comment --comment "forward real ip to container"
chmod +x /usr/local/bin/lxc-mediawiki-rules
$EDITOR /etc/systemd/system/lxcip.service
[Unit] Description = apply ip rules at startup [Service] Type=oneshot ExecStart=/usr/local/bin/lxc-mediawiki-rules [Install] WantedBy=multi-user.target
systemctl enable lxcip
LXC proxy method:
Visit webpage and check all working
Visit the domain you selected
www.completenoobs.com
Should be up and running.
NOTE: We did not need to allow port 443 or 80 on VPS host.
Check Iptables persist for restart, by rebooting server!
reboot
Give it a minute or 2 and check website again.
LetsEncrypt
Log back into server
ssh mediawikiserver
Log into container
lxc exec mediawiki bash
Install certbot
snap install certbot --classic
Backup Apache2 config file
cp /etc/apache2/sites-available/completenoobs.com.conf /etc/apache2/sites-available/completenoobs.com.conf.bk
Create Cert
certbot --apache -d www.completenoobs.com -d completenoobs.com
And Certbot broke are apache2 configs, and thats why we back up!
ls /etc/letsencrypt/live/www.completenoobs.com/
cp /etc/letsencrypt/live/www.completenoobs.com/fullchain.pem /etc/ssl/certs/cn-selfsigned.crt
cp /etc/letsencrypt/live/www.completenoobs.com/privkey.pem /etc/ssl/private/cn-selfsigned.key
rm /etc/apache2/sites-available/completenoobs.com-le-ssl.conf /etc/apache2/sites-available/completenoobs.com.conf
cp /etc/apache2/sites-available/completenoobs.com.conf.bk /etc/apache2/sites-available/completenoobs.com.conf
Turn SSLUseStapling on
$EDITOR /etc/apache2/conf-available/ssl-params.conf
SSLUseStapling off
Change to:
SSLUseStapling on
Restart apache
systemctl restart apache2
Now check your site on browser.
Useful Notes - tips
Forgot your Admin Password
Can use for any user:
php /var/www/html/mediawiki/maintenance/changePassword.php --user=admin --password=newpassword
Make Wiki Read Only
Add to LocalSettings.php:
$wgReadOnly = 'Read Only';
Restrict account creation on wiki
Add to LocalSettings.php:
$wgGroupPermissions['*']['createaccount'] = false;
Only Admin accounts can edit
Add to LocalSettings.php:
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = true;
Protect a page so only admin can edit
At the top of the page when logged in with admin account, click More.
A drop down of three opitions: Delete, Move, Protect.
Clicking Protect will not allow any non admin from editing the page.
| Read | Edit | View history | (STAR) | More |
Make User an Admin
go to special pages
With Admin Account go to:
index.php/Special:SpecialPages
List of users can be found here:
index.php/Special:ListUsers
Go to:
index.php/Special:UserRights
And enter username:
Groups you can change
And rest is self explanatory.
Remove admin rights
Same thing, just untick admin rights!
Upgrading MediaWiki
BACK SURE YOU BACKUP FIRST!!! just in case.
This example update 1.35 to 1.36 from 1.36 onwards php-intl is required.
Download the wiki you are going to upgrade to.
https://releases.wikimedia.org/mediawiki/1.36/
cd /root
wget https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.1.tar.gz
In LocalSettings.php put in readonly mode
$EDITOR /var/www/html/mediawiki/LocalSettings.php
$wgReadOnly = "Upgrading";
tar xvzf mediawiki-1.36.1.tar.gz -C /var/www/html/mediawiki --strip-components=1
php /var/www/html/mediawiki/maintenance/update.php
Returns:
Error: Missing one or more required components of PHP. You are missing a required extension to PHP that MediaWiki needs. Please install: * intl <https://www.php.net/intl>
apt install php-intl
php /var/www/html/mediawiki/maintenance/update.php
And thats it.
If you do get an error:
MediaWiki 1.36 internal error Installing some PHP extensions is required.
Required components You are missing a required extension to PHP that MediaWiki requires to run. Please install:
intl (more information)
Then reboot the container and its all fine after.
Backup your Wiki
LXC Snapshots
Easy way, backup the container using snapshot
lxc snapshot mediawiki beforeupgrade_11_12_2020
To see snapshots
lxc info mediawiki
To restore container to snapshot
lxc restore mediawiki beforeupgrade_11_12_2020
To delete a snapshot
lxc delete mediawiki/beforeupgrade_11_12_2020
Export a Snapshot
lxc snapshot mediawiki testsnap
lxc publish mediawiki/testsnap --alias mediawiki-backup-20-07-2021
lxc image export mediawiki-backup-20-07-2021
you end up with a file named after the sha256sum
a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz
NOTE:You can change name from a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz
to something like mediawiki-backup-20-07-2021.tar.gz and restore will still work fine.
can now delete image
lxc image delete mediawiki-backup-20-07-2021
Import Snapshot
Move to another computer and install init lxd
lxc image import a23ee82572e5f14aabd4b59d6c7bc7923fe88f30f83b776401871e237b554ceb.tar.gz --alias testrestore
lxc launch testrestore mediarestore
lxc list
lxc exec mediarestore bash
Change IP in LocalSettings and apache config and restart apache.
And your up and running.
you can also delete image on new restore computer:
lxc image delete testrestore
Dump mediawiki database - xml
Log into container root dir
lxc exec NAME bash
In container of wiki:
php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml
Exit container
exit
Pull file to host
lxc file pull NAME/root/dump_mediawiki.xml wiki-dump.xml
automate xml dumps to server
TIP: Create an scp only account on server first
$EDITOR /usr/local/bin/auto-export.sh
#!/bin/bash
set -x
time_stamp=$(date '+%d_%m_%y')
dumps_dir="/var/www/dumps"
noobs_dir="/var/www/html/noobs"
local_settings="$noobs_dir/LocalSettings.php"
wiki_dump_dir="$dumps_dir/$time_stamp.Noobs"
xmlkey="/root/.ssh/xmlkey"
remote_host="rscp@xml.completenoobs.com"
remote_path="/home/rscp/media/"
function ensure_read_only_line_exists {
if ! grep -q "wgReadOnly" "$local_settings"; then
cat <<EOF >> "$local_settings"
\$wgReadOnly = 'Dumping Database, Access will be restored shortly';
EOF
fi
}
function set_wiki_read_only {
sed -i 's/^#*\(\$wgReadOnly\)/\1/' "$local_settings"
}
function unset_wiki_read_only {
sed -i 's/^\(\$wgReadOnly\)/#\1/' "$local_settings"
}
function create_directories {
mkdir -p "$dumps_dir"
mkdir -p "$wiki_dump_dir"
}
function dump_wiki {
php "$noobs_dir/maintenance/dumpBackup.php" --full > "$wiki_dump_dir/$time_stamp.Noobs.xml"
}
function generate_checksums {
md5sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.md5sum.txt"
sha256sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.sha256sum.txt"
}
function push_to_remote {
scp -i /root/.ssh/xmlkey -r /var/www/dumps/$time_stamp.Noobs rscp@xml.completenoobs.com:/home/rscp/media/
#rsync -avz -e "ssh -i $xmlkey" "$wiki_dump_dir" "$remote_host:$remote_path"
}
# Main script
ensure_read_only_line_exists
create_directories
set_wiki_read_only
dump_wiki
generate_checksums
unset_wiki_read_only
push_to_remote
chmod +x /usr/local/bin/auto-export.sh
add to cron to export every 5 days
crontab -e
30 3 */5 * * /usr/local/bin/auto-export.sh
Will export at 3:30 am every 5 days, check Ubuntu Cron Quick start for more info
Import Dump
Create Quick local wiki
Import dump
lxc file push wiki-dump.xml localwiki/root/
lxc exec localwiki bash
Restore dump
php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/wiki-dump.xml
php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php
php /var/www/html/mediawiki/maintenance/initSiteStats.php
php /var/www/html/mediawiki/maintenance/rebuildall.php
Everything apart from index.php/Main_Page restored.
Full Wiki Dump and Restore
Backing up
Making your wiki READ ONLY - will lock database
$EDITOR LocalSettings.php
$wgReadOnly = 'Dumping Database, Access will be restored shortly';
Dump and gzip database for transport
will be prompted for password:
mysqldump -h localhost --default-character-set=binary --no-tablespaces -u green -p mywiki_database | gzip > /root/greenwiki.sql.gz
ALt method for dump(password in cmd):
php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml
Back mediawiki Root Directory.
tar cvzhf /root/mediawiki-rootDir.tgz /var/www/html/mediawiki
All into one file for easy transport.
cd /root/
tar cvzhf mediawiki-transfer.tgz mediawiki-rootDir.tgz greenwiki.sql.gz dump_mediawiki.xml
All file in mediawiki-transfer.tgz for transfer to new server
exit Container
exit
lxc file pull mediawiki/root/mediawiki-transfer.tgz mediawiki.bk.tgz
Restore wiki
create container (backupwiki) and push file
lxc file push mediawiki.bk.tgz backupwiki/root/
login to container
apt update && apt upgrade -y
apt install apache2 mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y
tar xvf mediawiki.bk.tgz
tar xvf mediawiki-rootDir.tgz -C /
Create basebase:
NOTE: If you use diff username, passwd, database_name, append/correct details on LocalSettings.
mysql -u root
CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';
CREATE DATABASE mywiki_database;
use mywiki_database;
GRANT ALL ON mywiki_database.* TO 'green'@'localhost';
quit;
gunzip -d greenwiki.sql.gz
mysql -u green -p mywiki_database < greenwiki.sql
php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/dump_mediawiki.xml
php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php
php /var/www/html/mediawiki/maintenance/initSiteStats.php
php /var/www/html/mediawiki/maintenance/rebuildall.php
Config Apache2
$EDITOR /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
DocumentRoot /var/www/html/mediawiki
</VirtualHost>
Reload Apache2
systemctl restart apache2
EmbedVideo
https://www.mediawiki.org/wiki/Extension:EmbedVideo
apt install unzip
wget https://gitlab.com/hydrawiki/extensions/EmbedVideo/-/archive/v2.9.0/EmbedVideo-v2.9.0.zip
unzip EmbedVideo-v2.9.0.zip -d /var/www/html/mediawiki/extensions/
mv /var/www/html/mediawiki/extensions/EmbedVideo-v2.9.0 /var/www/html/mediawiki/extensions/EmbedVideo
$EDITOR /var/www/html/mediawiki/LocalSettings.php
#Embed Video wfLoadExtension( 'EmbedVideo' );
Remove Index.php From URL
How to remove the Index.php from URL
SpamBot Wars
Bit busy now, notes to look into later:
https://www.mediawiki.org/wiki/Extension:Nuke
https://www.mediawiki.org/wiki/Manual:Preventing_access
https://www.mediawiki.org/wiki/Extension:ConfirmAccount
https://www.mediawiki.org/wiki/Extension:InviteSignup
Well the bots won for now - Disable eMail function for all related options in LocalSettings.php
$wgEnableEmail = false;
Or just stop users sending email with:
$wgEnableUserEmail = false;
Notes
Syntax highlighting not working
Install pygments
apt install python3-pygments
Add to LocalSettings:
wfLoadExtension( 'SyntaxHighlight_GeSHi' );