MediaWiki

Install
First create a dedicated partition for the database: lvcreate -L 2g -n mysql_lv /dev/system lvdisplay /dev/system/mysql_lv mkfs.xfs /dev/system/mysql_lv echo "/dev/system/mysql_lv /var/lib/mysql xfs defaults,nosuid,nodev 0 0" >> /etc/fstab

mkdir -p /var/lib/mysql mount /var/lib/mysql chown mysql:mysql /var/lib/mysql restorecon -R /var/lib/mysql

Enable the following additional repositories:
 * EPEL
 * IUS

Install all prerequisites, such as Apache, MySQL/MariaDB and PHP: yum install -y httpd mod_ssl elinks mariadb mariadb-server php72u-cli mod_php72u php72u-mysqlnd php72u-gd php72u-ldap php72u-intl php72u-xml php72u-mbstring php72u-json ImageMagick python-pygments

Proceed with the MySQL/MariaDB configuration and database creation: sed -i '/^\[mysqld\]/a open_files_limit = 8192\nmax_connections = 1000\nmax_allowed_packet = 64M' /etc/my.cnf.d/server.cnf

systemctl enable mariadb.service systemctl start mariadb.service

mysqladmin --user=root password somepassword mysqladmin --user=root --password reload mysqladmin --user=root --password create wikidb mysql --user=root --password wikidb mysql> GRANT ALL ON wikidb.* TO wikiuser@localhost IDENTIFIED BY 'somepassword'; mysql> flush privileges; mysql> quit

Set different parameters for PHP: echo ' TLS_REQCERT    never ' >> /etc/openldap/ldap.conf

echo 'expose_php = Off date.timezone = Europe/Zurich' >> /etc/php.d/50-custom.ini restorecon -F /etc/php.d/50-custom.ini

echo '  SetHandler server-status Require host localhost  ' > /etc/httpd/conf.d/server-status.conf

Configure the web server: echo ' ProxyRequests Off TraceEnable off ServerTokens Prod  AllowMethods GET POST  LimitRequestFields     100 LimitRequestFieldSize 8190 LimitRequestLine      8190 LimitXMLRequestBody  51200 SSLStrictSNIVHostCheck on SSLProtocol             all -SSLv3 SSLCipherSuite         HIGH:!MEDIUM:!LOW:!MD5:!RC4:!3DES:!DSS:!aNULL:!eNULL:!EXP SSLHonorCipherOrder    on SSLCompression          off SSLProxyEngine         off  SSLOptions +StdEnvVars   SSLOptions +StdEnvVars  ' > /etc/httpd/conf.d/httpd-sec.conf
 * 1) When running a reverse proxy only,
 * 2) do not allow forward proxy requests
 * 1) Disable TRACE method
 * 1) Restrict Server Banner
 * 1) Restrict HTTP methods
 * 1) Limits
 * 2) LimitRequestBody    102400
 * 1) SSL
 * 1) SSLSessionTickets     off

echo '  ServerName wiki.intranet.example.com ServerAlias wiki.example.com # Document Root DocumentRoot "/var/www/html/wiki" # Log ErrorLog logs/wiki.intranet.example.com-error_log CustomLog logs/wiki.intranet.example.com-access_log combined # Security Headers #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "HTTPOnly" # Force the use of HTTPS RewriteEngine on    RewriteCond   %{HTTPS} !=on RewriteRule  ^(.*) https://%{SERVER_NAME} [L,R]   ServerName wiki.intranet.example.com ServerAlias wiki.example.com # Document Root DocumentRoot "/var/www/html/wiki" # Log ErrorLog logs/wiki.intranet.example.com-error_log CustomLog logs/wiki.intranet.example.com-access_log combined # SSL config SSLEngine on    SSLCertificateFile      /etc/pki/tls/certs/wiki.intranet.example.com.crt SSLCertificateKeyFile  /etc/pki/tls/private/wiki.intranet.example.com.key SSLCertificateChainFile /etc/pki/tls/certs/wiki.intranet.example.com.chain # Security Headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "secure; HTTPOnly"  ' > /etc/httpd/conf.d/wiki.intranet.example.com.conf

systemctl enable httpd.service systemctl start httpd.service

Decompress the package downloaded from the official website: mkdir -p /var/www/html/wiki tar xfz mediawiki-*.tar.gz -C /var/www/html/wiki --strip-components=1 rm mediawiki-*.tar.gz cp mylogo.png /var/www/html/wiki/resources/assets/

Set the correct permissions: chown -R root:apache /var/www/html/wiki chmod -R a+r,ug+w   /var/www/html/wiki/images

Apply the following changes to SELinux: setsebool -P httpd_can_connect_ldap 1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1

restorecon -R /var/www restorecon -R /var/lib/mysql

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/wiki/images(/.*)?" restorecon -RF /var/www/html/wiki/images

Start the web installation: https://wiki.intranet.example.com/mw-config/index.php * Your language: en - English * Wiki language: en - English * Database type: MySQL (or compatible) * Database host: localhost * Database name: wikidb * Database table prefix: * Database username: wikiuser * Database password: ******** * Database account for web access: Use the same account as for installation * Storage engine: InnoDB * Database character set: Binary * Name of wiki: Example Wiki * Project namespace: Same as the wiki name * Administrator username: WikiSysop * Administrator password: ******** * Administrator Email address: admin@example.com * User rights profile: Account creation required * Copyright and license: No license footer * Email settings: Disable outbound email * Skins: Vector (Use this skin as default) * Extensions: ParserFunctions, Renameuser, SyntaxHighlight_GeSHi, WikiEditor * Images and file uploads: Enable file uploads * Directory for deleted files: /var/www/html/wiki/images/deleted * Logo URL: $wgResourceBasePath/resources/assets/mylogo.png * Settings for object caching: No caching

Install and configure some extensions: ls Extensions/*/*.tar.gz | while read EXT do    tar xfz ${EXT} -C /var/www/html/wiki/extensions/ done

rpm --import Extensions/CirrusSearch/GPG-KEY-elasticsearch rpm -Uhv Extensions/CirrusSearch/elasticsearch-*.rpm systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service chmod a+x Extensions/CirrusSearch/composer.phar cp -p Extensions/CirrusSearch/composer.phar /usr/local/bin/composer restorecon -F /usr/local/bin/composer cd /var/www/html/wiki/extensions/Elastica composer install --no-dev cd - php /var/www/html/wiki/extensions/CirrusSearch/maintenance/updateSearchIndexConfig.php php /var/www/html/wiki/extensions/CirrusSearch/maintenance/forceSearchIndex.php --skipLinks --indexOnSkip php /var/www/html/wiki/extensions/CirrusSearch/maintenance/forceSearchIndex.php --skipParse echo "\$wgNamespacesToBeSearchedDefault[NS_CATEGORY] = true; wfLoadExtension( 'Elastica' ); require_once( 'extensions/CirrusSearch/CirrusSearch.php' ); \$wgSearchType = 'CirrusSearch'; \$wgDisableSearchUpdate = false; " >> /var/www/html/wiki/LocalSettings.php

echo "require_once( 'extensions/LdapAuthentication/LdapAuthentication.php' ); \$wgAuth                  = new LdapAuthenticationPlugin; \$wgLDAPDomainNames        = array('prod.example.com'); \$wgLDAPServerNames        = array('prod.example.com' => 'ldap01.example.com ldap02.example.com'); \$wgLDAPSearchStrings      = array('prod.example.com' => 'USER-NAME@example.com'); \$wgLDAPSearchAttributes   = array('prod.example.com' => 'sAMAccountName'); \$wgLDAPBaseDNs            = array('prod.example.com' => 'dc=example,dc=ch'); \$wgLDAPEncryptionType     = array('prod.example.com' => 'clear'); \$wgLDAPUseLocal           = false; \$wgMinimalPasswordLength  = 1; \$wgLDAPDebug              = 0; \$wgDebugLogGroups['ldap'] = 'images/Debug_LDAP.log'; " >> /var/www/html/wiki/LocalSettings.php

yum install -y nodejs cp Extensions/VisualEditor/parsoid.service /usr/lib/systemd/system/parsoid.service tar xfz Extensions/VisualEditor/parsoid-0.8.1all.tgz -C / if [ ! -L "/etc/init.d" ]; then mv /etc/init.d/parsoid /etc/rc.d/init.d/    rmdir /etc/init.d     ln -s rc.d/init.d /etc/init.d fi sed -i -e "s+uri: 'http://localhost/w/api.php'+uri: 'https://wiki.intranet.example.com/api.php'+g" \ -e "s+#strictSSL: false+strictSSL: false+g" \ /etc/mediawiki/parsoid/config.yaml groupadd --system parsoid useradd --system --home-dir /usr/lib/parsoid --no-create-home --gid parsoid parsoid restorecon -F /etc/default/parsoid restorecon -F /etc/logrotate.d/parsoid restorecon -RF /etc/mediawiki restorecon -F /usr/lib/systemd/system/parsoid.service restorecon -RF /usr/lib/parsoid restorecon -RF /usr/share/doc/parsoid systemctl daemon-reload systemctl enable parsoid systemctl start parsoid echo "wfLoadExtension( 'VisualEditor' ); \$wgDefaultUserOptions['visualeditor-enable']             = 1; \$wgDefaultUserOptions['visualeditor-enable-experimental'] = 0; \$wgVisualEditorAutoAccountEnable = 1; \$wgVisualEditorDisableForAnons   = 1; \$wgVisualEditorShowBetaWelcome   = 0; \$wgVirtualRestConfig['modules']['parsoid'] = array(         'url'    => ' http://localhost:8142 ',         'domain' => 'localhost',         'prefix' => 'localhost' ); " >> /var/www/html/wiki/LocalSettings.php

echo "wfLoadExtension( 'intersection' ); " >> /var/www/html/wiki/LocalSettings.php

echo "# Disable anonymous account registration \$wgGroupPermissions['*']['createaccount']    = false; \$wgGroupPermissions['*']['autocreateaccount'] = true; \$wgGroupPermissions['bureaucrat']['delete']   = true; \$wgGroupPermissions['bureaucrat']['move']     = true; \$wgGroupPermissions['bureaucrat']['rollback'] = true; \$wgGroupPermissions['bureaucrat']['validate'] = true; \$wgFileExtensions = array( 'png', 'gif', 'jpg', 'jpeg', 'doc', 'xls', 'ppt', 'pdf', 'mm', 'crt', 'zip'); \$wgUrlProtocols[] = 'file://' ; \$wgPygmentizePath = '/usr/bin/pygmentize'; " >> /var/www/html/wiki/LocalSettings.php
 * 1) Allowed permissions for bureaucrat users
 * 1) Allowed extensions for uploading files
 * 1) Add file:// protocols
 * 1) Pygmentize Path for SyntaxHighlight_GeSHi

cd /var/www/html/wiki php maintenance/update.php --quick

chown -R root:apache /var/www/html/wiki chmod -R a+r,ug+w   /var/www/html/wiki/images

SELinux: restorecon -RF /var/www restorecon -RF /var/lib/mysql

Update
Backup MediaWiki files: rm -rf /var/www/html/wiki.bkp cp -pr /var/www/html/wiki /var/www/html/wiki.bkp

Backup MediaWiki database: /opt/bin/mysql_backup.sh ls -lah /opt/backup/mysql-databases.sql Update MediaWiki: tar xfz mediawiki-*.tar.gz -C /var/www/html/wiki --strip-components=1 cd /var/www/html/wiki php maintenance/update.php --quick

Update MediaWiki extensions: ls Extensions/*/*.tar.gz | while read EXT do    tar xfz ${EXT} -C /var/www/html/wiki/extensions/ done

systemctl stop elasticsearch.service rpm -Uhv Extensions/CirrusSearch/elasticsearch-*.rpm systemctl daemon-reload systemctl start elasticsearch.service chmod a+x Extensions/CirrusSearch/composer.phar cp -p Extensions/CirrusSearch/composer.phar /usr/local/bin/composer restorecon -F /usr/local/bin/composer cd /var/www/html/wiki/extensions/Elastica composer install --no-dev cd - php /var/www/html/wiki/extensions/CirrusSearch/maintenance/updateSearchIndexConfig.php --startOver php /var/www/html/wiki/extensions/CirrusSearch/maintenance/forceSearchIndex.php

Reset the correct permissions: chown -R root:apache /var/www/html/wiki chmod -R a+r,ug+w   /var/www/html/wiki/images

SELinux: restorecon -RF /var/www restorecon -RF /var/lib/mysql

MySQL/MariaDB daily backup
echo '# # 0 3 * * * /opt/bin/mysql_backup.sh' >> /var/spool/cron/root
 * 1) MySQL/MariaDB daily backup

echo ' [mysqldump] user=root password=******** ' >> ~/.my.cnf

chmod go= ~/.my.cnf mkdir -p /opt/backup

echo ' # # # DUMPDIR=/opt/backup DUMPOPT="--all-databases" DBUSER=root MAILTO=admin@example.com mysqldump --user $DBUSER $DUMPOPT > $DUMPDIR/mysql-databases.sql if [ $? -ne 0 ]; then echo "MySQL/MariaDB databases backup failed." | mail -s "MySQL/MariaDB daily backup on $(hostname -f)" $MAILTO fi ' > /opt/bin/mysql_backup.sh
 * 1) MySQL/MariaDB databases backup script
 * 1) Note: password is retrived from ~/.my.cnf

chmod a+x /opt/bin/mysql_backup.sh

Elastica / CirrusSearch
To list the indexes in ElasticSearch: curl -XGET 'localhost:9200/_cat/indices?v&pretty'

health status index                    uuid                   pri rep docs.count docs.deleted store.size pri.store.size green open   wikidb_general_first      PUH74ALWRAGAFShTzYEVpQ   4   0         20            0     17.7kb         17.7kb green open   mw_cirrus_metastore_first PcG7AqqVQdKVt999dGUATQ   1   0          3            2     10.9kb         10.9kb green open   wikidb_content_first      V7kH77JhSCO_cY-Q06XgeA   4   0          3            0     38.1kb         38.1kb

To delete an index from ElasticSearch: curl -XDELETE 'localhost:9200/wikidb_content_BadIndex?pretty'

To perform a search directly on ElasticSearch: curl -XGET 'localhost:9200/_search?q=hello&pretty'

Links

 * MediaWiki
 * MediaWiki Extensions Download
 * CirrusSearch Extension
 * Elastica Extension
 * LDAP_Authentication Extension
 * VisualEditor Extension
 * DynamicPageList Extension
 * Parsoid wikitext parser
 * Composer Download
 * Elasticsearch Download
 * Parsoid Download from Debian
 * Parsoid Download from Wikimedia