Sender | Message | Time |
---|---|---|
5 Mar 2021 | ||
hexmode | If anyone uses Lockdown, I wrote up some notes on $wgNamespacePermissionLockdown vs $wgActionLockdown. Feedback welcome. | 19:33:42 |
hexmode | rootless docker documentation that freephile mentioned: https://docs.docker.com/engine/security/rootless/ | 20:38:25 |
rundg | See, I wasn't dreaming! /me makes note to read those docs again since I don't remember any of the details | 20:39:36 |
hexmode | Looks similar to what podman does with subuid + subgid | 21:02:56 |
hexmode | rootless containers are good for development and don't require a daemon | 21:04:23 |
hexmode | podman has lots of info on integrating with systemd which I find very useful | 21:05:19 |
hexmode | hmmm.... looks like rootless docker still wants a docker daemon | 21:06:32 |
hexmode | which seems superfluous | 21:06:53 |
rundg | I'm getting a 404 when trying to use Visual Editor on 1.35 behind an Nginx reverse proxy | 22:12:51 |
rundg | specifically, the debug log says this: [http] GET: http://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Welcome_to_PegaWiki/14066?redirect=false&stash=true [VisualEditor] ApiParsoidTrait::requestRestbase: Received HTTP 404 from RESTBase | 22:13:27 |
rundg | (note the http instead of https) but... that URL is perfectly returned if I request it in the browser (Nginx forwards it to https) | 22:14:26 |
rundg | Immediately after, in the debug log, there is another error about SqlBagOStuff [MessageCache] MessageCache using store SqlBagOStuff | 22:16:24 |
rundg | FYI, I'm not using RESTBase, so I don't know why that's the error message. Maybe it's just a red herring | 22:17:42 |
rundg | the v1 and v3 REST URLs both work | 22:20:22 |
rundg | https://sandbox1-pcw-wiki.pega.com/rest.php/v1/page/Main_Page | 22:20:27 |
rundg | https://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Main%20Page/2916 | 22:20:46 |
rundg | (just pasting for inspection of URLs, but the wiki is behind a firewall) | 22:21:08 |
rundg | noticed that $wgCanonicalServer was set to use http changing that to https changes the error to Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK | 22:30:50 |
rundg | so, I think maybe I'm getting somewhere | 22:31:14 |
rundg | Since it's using curl internally, I guess I need to focus on the proper setup of MediaWiki over SSL behind a reverse proxy | 22:31:56 |
6 Mar 2021 | ||
SeriousFun01 left the room. | 19:18:48 | |
7 Mar 2021 | ||
rundg | I use a GoDaddy certificate, so I'm trying to configure curl on both the host and the container. | 14:58:38 |
rundg | https://curl.se/docs/sslcerts.html | 15:05:17 |
8 Mar 2021 | ||
hexmode | freephile: Interesting. I'm surprised you, being "freephile" and all, don't use EFF's LetsEncrypt | 16:39:41 |
rundg | It's for $work | 17:21:26 |
rundg | I almost involuntarily gave up my breakfast when I had to utter GoDadd... 🤮 | 17:52:22 |
hexmode | Even $CLIENTs like free security :) | 20:14:59 |
9 Mar 2021 | ||
rundg | I finally solved this. While Apache will run fine if you just provide a certificate key and the service certificate, the OpenIDConnect client (and apparently VisualEditor too) run their curl requests as an unprivileged user (www-data). So, you must configure Apache with an intermediate certificate chain file too.
And, those files must be readable by www-data, so although the directory given in my example above says 'private' I had to chmod a+x the directory (which was previously mode 0600) I guess this took me so long to realize because my Apache error logging was so verbose so as to render it useless, and I was focussed on the messages coming from Visual Editor instead of the MediaWiki logs. (Had to turn off the job queue because that was filling debug.log faster than you can read.) | 02:12:40 |
rundg | @c | 02:19:49 |
rundg | cicalese: For the curious, there is a pretty good error message from Pluggable Auth
| 02:20:26 |