10

I need a MediaWiki installation to require the use of https (and reject normal http). I've spent 2 hours looking. Setting $wgServer doesn't work and closing port 80 in httpd.conf doesn't work either.

My wiki installation is run on an Apache server.

the
  • 21,007
  • 11
  • 68
  • 101
user1258361
  • 1,133
  • 2
  • 16
  • 25

3 Answers3

8

I've just done this on Ubuntu 14 (for the first time today, so there may be a better way!) by setting 

$wgServer = "//myhostname.com/mediawiki";

This makes the server name "protocol relative" so it works with either HTTP or HTTPS. You can probably just set it to https://... though.

Then configure apache2 to redirect all HTTP traffic to HTTPS:

Edit the default SSL configuration (this assumes you are just using the default site):

sudo vim /etc/apache2/sites-available/default-ssl.conf

to read something like:

# Redirect HTTP to HTTPS
<VirtualHost *:80>
     ServerAdmin admin@example.com
     ServerName example.com

     Redirect permanent / https://example.com/
</VirtualHost>

# Normal HTTPS config for default site
<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key

     ServerAdmin admin@example.com
     ServerName example.com
     DocumentRoot /var/www/html/
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the default SSL site, if you haven't already (this creates a link from sites-enabled to sites-available)

sudo a2ensite default-ssl

This assumes that you have already obtained an SSL certificate (I generated a self-signed one) which has been placed in /etc/apache2/ssl/apache.pem and /etc/apache2/ssl/apache.key as referenced in the config above.

Finally get apache to use the new config:

sudo service apache2 restart

(Or reload may be enough)

DNA
  • 42,007
  • 12
  • 107
  • 146
  • How would this answer change ***if*** we wanted `example.com` directed to `www.example.com`; *and* then make everything HTTPS? (I tried to setup the same configuration from similar Questions and Answers. I thought it was correct, but MediaWiki logins are broken (everthing else is OK). Now I am here trying to "enable HTTPS for Mediawiki by default"). – jww Nov 06 '16 at 01:36
  • i wonder why this "protocol-relative" syntax is not the default! thanks for saving me today :) – lensovet Nov 07 '16 at 07:21
7

My answer assumes that you already have Apache listening for https traffic on port 443. If that's not the case, you need to set that up first. The procedure will be different depending on what operating system you are running.

You want to do this in Apache. On my Ubuntu system, there's a file /etc/apache2/ports.conf which contains the following line:

Listen 80

You will have a similar config file that contains that line. Delete it, and don't forget to restart Apache.

Another way to accomplish this, which allows for more complex Apache configurations where you allow HTTP access to some parts of the site, is to use a .htaccess file in your MediaWiki directory. Try this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
We Are All Monica
  • 13,000
  • 8
  • 46
  • 72
  • Does this ensure that the wiki will not set the login/search form to post to http? – Doncho Gunchev Sep 04 '15 at 10:47
  • 1
    > Another way to accomplish this ... // This is what worked for me perfectly. – kghbln Dec 03 '18 at 08:49
  • 7 years later... a redirect (`RewriteRule`) is definitely the better way to do this. Disabling port 80 is not a good idea because you want people to be able to type in the domain name without `https://`. – We Are All Monica Jul 17 '19 at 04:00
1

Given that your web server is set up to support https in general, insert or update the following line in your LocalSettings.php configuration file of MediaWiki:

$wgForceHTTPS = true;

This redirects all queries using http to https and is an alternative to a redirect rule in the web-server configuration.

See also:

phispi
  • 604
  • 7
  • 15
  • I think this is the best answer. Also, make sure to set $wgServer to use "https://". If $wgServer starts with "http://", an exception will be thrown. – relayman357 Dec 08 '21 at 18:55