Re: [Wikitech-l] Integrating Parsoid & RESTbase into a secure MediaWiki Install

[John P. New]

To wrap this up, I managed to get SSL to RESTbase working, but using CPanel 
AutoSSL instead of LetsEncrypt. AutoSSL and LetsEncrypt are similar services 
but I used AutoSSL because my main mediawiki install is served on CPanel.

In a nutshell, I
) Created a sub-domain, mw.mywikidomain.com. The associated SSL certificate was 
automatically created.
) Pointed the DNS entry for mw.mywikidomain.com to my home server IP address
) Exported the certificate and key entries into an stunnel install running on 
my home server and listening on port 7232.
) Changed the $wgVisualEditorRestbaseURL and $wgVisualEditorFullRestbaseURL to 
point to https://mw.mydomain.com:7232/mywikidomain.com/v1/page/html/ and 
https://mw.mydomain.com:7232/mywikidomain.com/, respectively.

Thanks for the help.

John

On February 22, 2017 10:14:54 AM John P. New wrote:
> Thanks to a couple of members of this list I was able to get Visual Editor 
> working on my WikiMedia install.
> 
> Now I would like to run the wiki under SSL. Of course, as soon as I do, my 
> browser complains of mixed content from the RESTbase server and won't load VE 
> at all.
> 
> I am running MediaWiki 1.28 on a shared host, which means no access to 
> node.js. So in order to run Parsoid and RESTbase I have installed both on my 
> home server. As such, I have no way of getting a trusted SSL certificate for 
> it; the most I could do is a self-signed certificate, which I am sure will 
> cause as many browser complaints as the current mixed-content does.
> 
> My question is, what is the likelihood of getting this configuration to work 
> under SSL?
> 
> John


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Integrating Parsoid & RESTbase into a secure MediaWiki Install

[Gergo Tisza]

On Wed, Feb 22, 2017 at 7:14 AM, John P. New  wrote:

> I am running MediaWiki 1.28 on a shared host, which means no access to
> node.js. So in order to run Parsoid and RESTbase I have installed both on
> my home server. As such, I have no way of getting a trusted SSL certificate
> for it; the most I could do is a self-signed certificate, which I am sure
> will cause as many browser complaints as the current mixed-content does.
>

VE calls are proxied through the wiki; you can serve them in SSL but make
the wiki -> Parsoid server calls in plaintext.
That said, you should definitely use Let's Encrypt; it's very easy to set
up and you have one less script injection / cookie stealing vulnerability.
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Integrating Parsoid & RESTbase into a secure MediaWiki Install

[John P. New]

I had thought of LetsEncrypt, but I was under the (mistaken) impression that 
SSL certificates are bound to the IP address as well as the hostname of the 
server. Upon further investigation, I see that SSL certificates are not IP 
address dependent.

I'll give it a try, thanks.

On February 22, 2017 04:57:30 PM Alex Monk wrote:
> You can get a trusted cert for your home server. Look into LetsEncrypt.
> 
> On 22 Feb 2017 3:15 pm, "John P. New"  wrote:
> 
> > Thanks to a couple of members of this list I was able to get Visual Editor
> > working on my WikiMedia install.
> >
> > Now I would like to run the wiki under SSL. Of course, as soon as I do, my
> > browser complains of mixed content from the RESTbase server and won't load
> > VE at all.
> >
> > I am running MediaWiki 1.28 on a shared host, which means no access to
> > node.js. So in order to run Parsoid and RESTbase I have installed both on
> > my home server. As such, I have no way of getting a trusted SSL certificate
> > for it; the most I could do is a self-signed certificate, which I am sure
> > will cause as many browser complaints as the current mixed-content does.
> >
> > My question is, what is the likelihood of getting this configuration to
> > work under SSL?
> >
> > John


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Integrating Parsoid & RESTbase into a secure MediaWiki Install

[Alex Monk]

You can get a trusted cert for your home server. Look into LetsEncrypt.

On 22 Feb 2017 3:15 pm, "John P. New"  wrote:

> Thanks to a couple of members of this list I was able to get Visual Editor
> working on my WikiMedia install.
>
> Now I would like to run the wiki under SSL. Of course, as soon as I do, my
> browser complains of mixed content from the RESTbase server and won't load
> VE at all.
>
> I am running MediaWiki 1.28 on a shared host, which means no access to
> node.js. So in order to run Parsoid and RESTbase I have installed both on
> my home server. As such, I have no way of getting a trusted SSL certificate
> for it; the most I could do is a self-signed certificate, which I am sure
> will cause as many browser complaints as the current mixed-content does.
>
> My question is, what is the likelihood of getting this configuration to
> work under SSL?
>
> John
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Integrating Parsoid & RESTbase into a secure MediaWiki Install

[John P. New]

Thanks to a couple of members of this list I was able to get Visual Editor 
working on my WikiMedia install.

Now I would like to run the wiki under SSL. Of course, as soon as I do, my 
browser complains of mixed content from the RESTbase server and won't load VE 
at all.

I am running MediaWiki 1.28 on a shared host, which means no access to node.js. 
So in order to run Parsoid and RESTbase I have installed both on my home 
server. As such, I have no way of getting a trusted SSL certificate for it; the 
most I could do is a self-signed certificate, which I am sure will cause as 
many browser complaints as the current mixed-content does.

My question is, what is the likelihood of getting this configuration to work 
under SSL?

John

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l