Here's a piece of goodness that has plagued us for the longest time...
Our httpd.conf looked similar to so:
# cat /etc/httpd/conf/httpd.conf | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache ServerAdmin webmaster@cryptopp.com ServerName www.cryptopp.com:80 ... <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost>
Our LocalSettings.php used protocol agnostic URLs like so:
# cat /var/www/html/w/LocalSettings.php | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' <?php if( defined( 'MW_INSTALL_PATH' ) ) { $IP = MW_INSTALL_PATH; } else { $IP = dirname( __FILE__ ); } ... # Notice cryptopp.com vs www.cryptopp.com $wgServer = "//cryptopp.com"; $wgSitename = "Crypto++ Wiki"; $wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = "detect"; ...
Whenever we tried to Logon through the wiki, it would take two tries for unexplained reasons. We searched through all the log files, and never encounter one squawk. I sem to recall it started when I added this to LocalSettings.php, but it may have been a sumptom to the deeper problem:
$wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = "detect";
Today we enabled a mod_rewrite rule to rewrite _all_ HTTP to HTTPS. This is due to Chrome's upcoming change of displaying any site in HTTP as insecure. Also see https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/. Here's what the change looked like:
<VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R] </IfModule> </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost>
The mod_rewrite completely broke wiki logons. We would visit the logon page, it would show HTTPS in the URL bar, but MediaWiki would display a message "Use Secure Logon" (IIRC), and the logon process would loop me back to the logon page without an actual login. Again, we would check the logs and there was nothing mentioned.
When we changed $wgServer to www.cryptopp.com, then everything worked as expected.
In the bigger picture, the problems above are (1) we were set to "warn" level, but no warnings or errors were logged. (2) None of us are Wiki admins or even admins in our day job. I realize there's nothing you can do for our inexperience. (3) We wasted countless hours on it over the last 18 months trying to figure out the double logon problem. Today we had to find the fix due to the mod_rewirte, and we spent 11 hours on it today alone. That likely means 10's to 100's of thousands of hours will be wasted around the world. (4) Many folks will avoid the secure state or better security posture because the problem is difficult to diagnose and fix. (5) Its hard to find a canonical answer as a reference. Typically, the usual Stack Overflow fodder shows up. I relaize there's nothing you can do for bad answers sprayed around the web.
Please start logging problems like ServerName != wgServer at "warn" level and above. It will save developers around the world untold pain and suffering, and it will improve the security posture for a number of sites. The improvement will come when the cause and fix become easy to diagnose.