!mduWVRtKzYinVAelXP:matrix.org

MWStake General

131 Members
MediaWIki Stakeholders' Group general discussion https://commonmark.org/help/25 Servers

Load older messages

SenderMessageTime
5 Mar 2021
@hexmode:matrix.orghexmodeIf anyone uses Lockdown, I wrote up some notes on $wgNamespacePermissionLockdown vs $wgActionLockdown. Feedback welcome.19:33:42
@hexmode:matrix.orghexmode rootless docker documentation that freephile mentioned: https://docs.docker.com/engine/security/rootless/ 20:38:25
@freephile:matrix.orgrundgSee, I wasn't dreaming! /me makes note to read those docs again since I don't remember any of the details20:39:36
@hexmode:matrix.orghexmodeLooks similar to what podman does with subuid + subgid21:02:56
@hexmode:matrix.orghexmoderootless containers are good for development and don't require a daemon21:04:23
@hexmode:matrix.orghexmodepodman has lots of info on integrating with systemd which I find very useful21:05:19
@hexmode:matrix.orghexmodehmmm.... looks like rootless docker still wants a docker daemon21:06:32
@hexmode:matrix.orghexmodewhich seems superfluous21:06:53
@freephile:matrix.orgrundgI'm getting a 404 when trying to use Visual Editor on 1.35 behind an Nginx reverse proxy22:12:51
@freephile:matrix.orgrundgspecifically, the debug log says this: [http] GET: http://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Welcome_to_PegaWiki/14066?redirect=false&stash=true [VisualEditor] ApiParsoidTrait::requestRestbase: Received HTTP 404 from RESTBase22:13:27
@freephile:matrix.orgrundg(note the http instead of https) but... that URL is perfectly returned if I request it in the browser (Nginx forwards it to https)22:14:26
@freephile:matrix.orgrundg

Immediately after, in the debug log, there is another error about SqlBagOStuff

[MessageCache] MessageCache using store SqlBagOStuff
[DBQuery] SqlBagOStuff::fetchBlobMulti [0s] db: SELECT keyname,value,exptime FROM objectcache WHERE keyname = 'pega:messages:en'
[DBQuery] SqlBagOStuff::fetchBlobMulti [0s] db: SELECT keyname,value,exptime FROM objectcache WHERE keyname = 'pega:messages:en:status'
[DBQuery] SqlBagOStuff::lock [0s] db: SELECT GET_LOCK('pega:messages:en', 0) AS lockstatus
[SQLBagOStuff] SqlBagOStuff::lock failed due to timeout for pega:messages:en.

22:16:24
@freephile:matrix.orgrundgFYI, I'm not using RESTBase, so I don't know why that's the error message. Maybe it's just a red herring22:17:42
@freephile:matrix.orgrundgthe v1 and v3 REST URLs both work22:20:22
@freephile:matrix.orgrundghttps://sandbox1-pcw-wiki.pega.com/rest.php/v1/page/Main_Page22:20:27
@freephile:matrix.orgrundghttps://sandbox1-pcw-wiki.pega.com/rest.php/sandbox1-pcw-wiki.pega.com/v3/page/html/Main%20Page/291622:20:46
@freephile:matrix.orgrundg(just pasting for inspection of URLs, but the wiki is behind a firewall)22:21:08
@freephile:matrix.orgrundgnoticed that $wgCanonicalServer was set to use http changing that to https changes the error to Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK 22:30:50
@freephile:matrix.orgrundgso, I think maybe I'm getting somewhere22:31:14
@freephile:matrix.orgrundgSince it's using curl internally, I guess I need to focus on the proper setup of MediaWiki over SSL behind a reverse proxy22:31:56
6 Mar 2021
@serious_fun:matrix.orgSeriousFun01 left the room.19:18:48
7 Mar 2021
@freephile:matrix.orgrundgI use a GoDaddy certificate, so I'm trying to configure curl on both the host and the container. 14:58:38
@freephile:matrix.orgrundghttps://curl.se/docs/sslcerts.html15:05:17
8 Mar 2021
@hexmode:matrix.orghexmode freephile: Interesting. I'm surprised you, being "freephile" and all, don't use EFF's LetsEncrypt 16:39:41
@freephile:matrix.orgrundgIt's for $work17:21:26
@freephile:matrix.orgrundgI almost involuntarily gave up my breakfast when I had to utter GoDadd... 🤮17:52:22
@hexmode:matrix.orghexmodeEven $CLIENTs like free security :)20:14:59
9 Mar 2021
@freephile:matrix.orgrundg

I finally solved this. While Apache will run fine if you just provide a certificate key and the service certificate, the OpenIDConnect client (and apparently VisualEditor too) run their curl requests as an unprivileged user (www-data). So, you must configure Apache with an intermediate certificate chain file too.

		SSLCertificateFile	/etc/ssl/private/gd-ucc-wiki.pega.com.crt
		SSLCertificateChainFile /etc/ssl/private/gd-ucc-bundle-wiki.pega.com.crt
		SSLCertificateKeyFile /etc/ssl/private/gd-ucc-wiki.pega.com.key

And, those files must be readable by www-data, so although the directory given in my example above says 'private' I had to chmod a+x the directory (which was previously mode 0600)

I guess this took me so long to realize because my Apache error logging was so verbose so as to render it useless, and I was focussed on the messages coming from Visual Editor instead of the MediaWiki logs. (Had to turn off the job queue because that was filling debug.log faster than you can read.)

02:12:40
@freephile:matrix.orgrundg@c02:19:49
@freephile:matrix.orgrundg

cicalese: For the curious, there is a pretty good error message from Pluggable Auth

[PluggableAuth] Class name: OpenIDConnect
Jumbojett\OpenIDConnectClientException: Curl error: error setting certificate verify locations:
  CAfile: /etc/ssl/private/gd-ucc-wiki.pega.com.crt
  CApath: /etc/ssl/certs in /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1052
02:20:26

Show newer messages

Back to Room ListRoom Version: