So, you may recall that when I was setting up my Apache / NGINX setup, I ended up giving up on reverse proxying to Apache, and I was pretty sure the main issue was with the WordPress blog setup on https://flyingflux.net enforcing the URL in a way that broke all sorts of dynamic content.
I’ve now reinforced that belief by successfully reverse-proxying an Apache-hosted wiki, https://bangdash.space/wiki/, aka TangoWiki!
My initial use case was to play through that classic 90’s point and click adventure game Discworld. I’m using a SCUMMVM copy through Lutris to play it, because even if I could find the original CD I bought all those years ago, it’s not much use on a Linux box.
Thus, https://bangdash.space/wiki/games/discworld. I’m only in the early stages of the game so far, and haven’t explored all the locations yet.
From a tech perspective, there were a few challenges getting this wiki up and running as it is. First, I had to get DokuWiki installed and working on an inaccessible port, and the first trouble I had was that I tried reusing a port number from my flyingflux.net adventures, which had poisoned my Chromium browser with 301 Permanently Moved HTTP response codes. There doesn’t seem to be any way to get Chromium/Chrome to forget those redirects. They expire after about a year, apparently.
The second problem was the Ubuntu packaging of DokuWiki. They split the original distribution up into about four different locations, and then get the file permissions wrong. I ended up grabbing a copy of their Apache .conf file, removing the Ubuntu package, and just dumping an entire DokuWiki distribution at the alias location.
The weird thing in the setup is that as far as Apache is concerned, it has no idea what the site name is. It just answers any requests it gets on its port as best it can. Then both Apache and nginx are set up so that urls with /wiki get handled by Apache, while Nginx handles the TLS/SSL encryption. Dokuwiki has a plugin for LDAP authentication that’s part of the core installation, which is one of the main features I wanted. It also stores all pages as text files, rather than using a database, so it’s very easy to back up!
I am getting occasional leaking of internal LAN traffic through to a direct connection to Apache, so that’s something I need to clean up. External users should get an error in that case.
I couldn’t see an easy way to set up user accounts other than through LDAP, so I have instead added a Discussion plugin, which lets people who aren’t Users make comments on a page, which the site Users can then take into account when making future page edits. I’ve just now found the Chained Auth Plugin, which does exactly what I hoped for as far as allowing non-LDAP user registration. I’ll probably set that up next week.
Here’s the relevant portions of NGINX and Apache conf files:
/etc/nginx/sites/bangdash.space.conf (partial)
location /wiki {
proxy_pass http://220.233.90.45:9999;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Port 9999 (not the real number) has a internal hairpin redirection so that traffic from the server makes it back to itself, and LAN clients can use the server’s external IP address. External requests to that port are blocked by my firewall.
/etc/apache2/sites/9999-default.conf
<VirtualHost *:9999>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html-defaults
<Ifmodule mod_fcgid.c>
# FCGID registers a handler named fcgid-script
AddHandler fcgid-script .php
Options +ExecCGI
FcgidWrapper /usr/local/bin/php-fcgid-wrapper
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
/etc/apache2/sites/dokuwiki.conf
Alias /wiki /var/www/wiki/
<LocationMatch "/(data|conf|bin|inc|vendor)/">
Order allow,deny
Deny from all
Satisfy All
</LocationMatch>
<Directory /var/www/wiki/>
Options +FollowSymLinks
AllowOverride All
order allow,deny
Allow from localhost all
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wiki
RewriteRule ^lib - [L]
RewriteRule ^doku.php - [L]
RewriteRule ^feed.php - [L]
RewriteRule ^_media/(.*) lib/exe/fetch.php?media=$1 [QSA,L]
RewriteRule ^_detail/(.*) lib/exe/detail.php?media=$1 [QSA,L]
RewriteRule ^_export/([^/]+)/(.*) doku.php?do=export_$1&id=$2 [QSA,L]
RewriteRule ^$ doku.php [L]
RewriteRule (.*) doku.php?id=$1 [QSA,L]
</IfModule>
</Directory>
9999-Default.conf defines a extremely basic Apache host with no server name, pointing to a nearly empty directory. External requests will only be passed to this server when they have the /wiki URL, so what pages are in html-defaults are never visible externally. I can use them for testing the web server, though.
dokuwiki.conf is taken from the Ubuntu package, with just the security LocationMatch section added as per the DokuWiki Security page to keep all the access where DokuWiki wants it. The “IfModule mod_rewrite.c” section makes for slightly nicer URLs as you move around the wiki, such as that link to my Discworld page above.