субота, 15 травня 2010 р.

Securing mediawiki

It is described here how to configure mediawiki for:
- use https with mutual authentication;
- use single sign on by client certificates.

At first, enable mod_ssl on apache:

a2enmod ssl

Then add to apache configuration file httpd.conf next strings:
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLCACertificateFile /etc/apache2/ssl/ca.crt

SSLCARevocationFile /etc/apache2/ssl/crl.pem

SSLVerifyClient require
SSLVerifyDepth 1

< Location />
SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "infosec" )
< /Location>

Then disable http-server on apache:

a2dissite default

and edit ports.conf:

#NameVirtualHost *:80 - comment or delete
#Listen 80 - comment or delete

After this restart apache:

apache2ctl graceful

To configure SSL authentication on mediawiki using certificate CN as username you need to add these strings in your apache config:

< Directory "/var/lib/mediawiki/">
Options None
AllowOverride None
Order allow,deny
Allow from all
SSLRequire %{SSL_CLIENT_S_DN} =~ m/.*serialNumber=$/
< /Directory>

Then you need to use SSLAuthPlugin.php from guide: http://www.mediawiki.org/wiki/Extension:SSL_authentication depends on your version of mediawiki and add in LocalSettings.php these strings:

#Load SSLAuthPlugin

#Feel free to use extra PHP code to munge the variables if you'd like
#Additionally if you wish to only map some of the name data, set this to true
#and either blank ssl_RN and ssl_email or comment them out entirely.
$ssl_map_info = false;

#Ssssh.... quiet down errors
#$olderror = error_reporting(E_ALL ^ E_NOTICE);

#Map Real Name from certificate
#Can be DN but is it right?

#MW username is required to map to something
#You should beware of possible namespace collisions, it is best to chose
#something that will not violate MW's usual restrictions on characters

#Just using Firstname + Lastname (CN) from Certificate 'will' make collisions... but what to use?
#UN could be md5-hash of DN, but its ugly to use...


#Map e-mail to something close?
#Will throw warnings if E-Mail is not set in certificate.
#If so, comment out the next three lines and set $ssl_email empty.
if ($_SERVER['SSL_CLIENT_S_DN_Email'] != )
$ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
$ssl_email = ;

#Turn error reporting back on

#Activate SSL Plugin

1 коментар: