Simplest way to get MediaWiki to require HTTPS on all pages?

Question

I need a MediaWiki installation to require the use of https (and reject normal http). I've spent 2 hours looking. Setting $wgServer doesn't work and closing port 80 in httpd.conf doesn't work either.

My wiki installation is run on an Apache server.

Answer 1

Given that your web server is set up to support https in general, insert or update the following line in your LocalSettings.php configuration file of MediaWiki:

$wgForceHTTPS = true;

This redirects all queries using http to https and is an alternative to a redirect rule in the web-server configuration.

See also:

• $wgForceHTTPS
• MediaWiki HTTPS Manual

Answer 2

I've just done this on Ubuntu 14 (for the first time today, so there may be a better way!) by setting

$wgServer = "//myhostname.com/mediawiki";

This makes the server name "protocol relative" so it works with either HTTP or HTTPS. You can probably just set it to https://... though.

Then configure apache2 to redirect all HTTP traffic to HTTPS:

Edit the default SSL configuration (this assumes you are just using the default site):

sudo vim /etc/apache2/sites-available/default-ssl.conf

to read something like:

# Redirect HTTP to HTTPS
<VirtualHost *:80>
     ServerAdmin [email protected]
     ServerName example.com

     Redirect permanent / https://example.com/
</VirtualHost>

# Normal HTTPS config for default site
<VirtualHost *:443>
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.pem
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key

     ServerAdmin [email protected]
     ServerName example.com
     DocumentRoot /var/www/html/
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Enable the default SSL site, if you haven't already (this creates a link from sites-enabled to sites-available)

sudo a2ensite default-ssl

This assumes that you have already obtained an SSL certificate (I generated a self-signed one) which has been placed in /etc/apache2/ssl/apache.pem and /etc/apache2/ssl/apache.key as referenced in the config above.

Finally get apache to use the new config:

sudo service apache2 restart

(Or reload may be enough)

Answer 3

My answer assumes that you already have Apache listening for https traffic on port 443. If that's not the case, you need to set that up first. The procedure will be different depending on what operating system you are running.

---

You want to do this in Apache. On my Ubuntu system, there's a file /etc/apache2/ports.conf which contains the following line:

Listen 80

You will have a similar config file that contains that line. Delete it, and don't forget to restart Apache.

---

Another way to accomplish this, which allows for more complex Apache configurations where you allow HTTP access to some parts of the site, is to use a .htaccess file in your MediaWiki directory. Try this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}