MediaWiki Backup And Restore
Backup
The system which contains the NST WIKI performs nightly backups. The compressed back up files under the /var/nst/nstwiki_archive directory.
The /var/nst/nstwiki_archive directory is then mirrored at external locations.
The following items are backed up:
- The SQL database associated with the Wiki.
- The configuration files associated with the Wiki.
- The media files (images) associated with the Wiki.
Here is an example of using rsync to download a copy of the back up files:
[nst@nst30-repo ~]$ rsync -avhP nstwiki:/var/nst/nstwiki_archive backup/nst30-repo receiving incremental file list nstwiki_archive/ nstwiki_archive/nstwiki_conf_archive0.tgz 117.14M 100% 3.94MB/s 0:00:28 (xfr#1, to-chk=1/3) nstwiki_archive/nstwiki_media_archive0.tgz 694.91M 100% 3.99MB/s 0:02:46 (xfr#2, to-chk=0/3) sent 66 bytes received 812.24M bytes 4.13M bytes/sec total size is 812.05M speedup is 1.00 [nst@nst30-repo ~]$ ls -l backup/nst30-repo/nstwiki_archive total 793020 -rw-r--r-- 1 nst nst 117138773 Aug 21 05:34 nstwiki_conf_archive0.tgz -rw-r--r-- 1 nst nst 694906230 Aug 21 05:34 nstwiki_media_archive0.tgz [nst@nst30-repo ~]$
Restore/Move
If you need to restore the NST Wiki or need to relocate the NST Wiki to another machine, use the following strategy:
- Set up MediaWiki on the other machine by following the instructions on the MediaWiki page.
- Stop the httpd service.
- Stop the mysqld service.
- Transfer and install from the back up archives.
- Start the mysqld service.
- Run any new MediaWiki database upgrade scripts (if you are moving to a newer version of MediaWiki).
- Update your LocalSettings.php file.
- Start the httpd service.
Set Up MediaWiki
If you are moving the NST Wiki to a new machine, you will need to set up MediaWiki on the new machine:
- Before setting up MediaWiki, review the LocalSettings.php file as you will likely want to match some of the settings (if you don't it's not the end of the world - but if you take the time now it might save you some tweaks later).
- See the MediaWiki page for details on setting up MediaWiki on a NST system.
- Install the EmbedVideo media extension.
Stop Services
Stop the httpd and mysqld services as shown below (use service instead of systemctl if you are on a older system):
[root@probe-p3p1 ~]# systemctl stop httpd.service [root@probe-p3p1 ~]# systemctl stop mysqld.service [root@probe-p3p1 ~]#
Transfer And Extract The Backup Archives
Get a copy of the NST Wiki backup files from the directory /var/nst/nstwiki_archive directory and transfer them to your /tmp directory:
[root@probe-p3p1 ~]# rsync -rp nstwiki:/tmp/nstwiki_archive /tmp/ root@nstwiki's password: [root@probe-p3p1 ~]# ls -l /tmp/nstwiki_archive total 198476 -rw-r--r-- 1 root root 66375294 Oct 22 18:32 nstwiki_conf_archive0.tgz -rw-r--r-- 1 root root 126201929 Oct 22 18:32 nstwiki_media_archive0.tgz [root@probe-p3p1 ~]#
Extract the contents of the nstwiki_conf_archive0.tgz file to the /var/nst/backup directory:
[root@probe-p3p1 ~]# install -d /var/nst/backup [root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_conf_archive0.tgz -C /var/nst/backup/ . [root@probe-p3p1 ~]#
Create and initialize the /var/nst/mediawiki directory:
[root@probe-p3p1 ~]# install -d /var/nst/mediawiki [root@probe-p3p1 ~]# mw-createinstance /var/nst/mediawiki [root@probe-p3p1 ~]#
Extract the contents of the nstwiki_media_archive0.tgz file to the directory where your MediaWiki files live.
[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_media_archive0.tgz -C /var/nst/mediawiki [root@probe-p3p1 ~]#
Add a sym-link to the images directory under /usr/share/mediawiki (still not sure why this is required). Also, you may need to edit/save each NST WIKI page if thumbnails are not being created automatically.
[root@probe-p3p1 ~]# mv /usr/share/mediawiki/images /usr/share/mediawiki/images.orig [root@probe-p3p1 ~]# ln /var/nst/mediawiki/images /usr/share/mediawiki/images [root@probe-p3p1 ~]#
Restore The NST Wiki Database
At this point you can start up the mysqld service and restore the most recent version of the NST Wiki backup. However, before you can restore using the SQL file you will need to drop the wikidb (or whatever you named your database) if it exists:
[root@probe-p3p1 ~]# systemctl start mysqld.service [root@probe-p3p1 ~]# mysql -h 127.0.0.1 --user=root --password Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.5.14 MySQL Community Server (GPL) Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> drop database wikidb; Query OK, 45 rows affected (0.15 sec) mysql> \q Bye [root@probe-p3p1 ~]#
At this point you can restore the NST Wiki database:
[root@probe-p3p1 ~]# gzip -dc < /var/nst/backup/db/nstwikidb.sql.gz | mysql -h 127.0.0.1 --user=root --password Enter password: [root@probe-p3p1 ~]#
Update The NST Wiki Database
If the location you are restoring the database to uses a newer version of MediaWiki, you will likely need to run the MediaWiki upgrade commands. Review the /usr/share/doc/mediawiki/UPGRADE file. Most likely you will need to run the following commands:
[root@probe-p3p1 ~]# cd /usr/share/mediawiki/maintenance/ [root@probe-p3p1 maintenance]# php update.php A copy of your installation's LocalSettings.php must exist and be readable in the source directory. [root@probe-p3p1 maintenance]# php update.php --conf /var/nst/mediawiki/LocalSettings.php MediaWiki 1.16.5 Updater Going to run database updates for wikidb Depending on the size of your database this may take a while! ... Lot's of output as database is updated ... Purging caches...done. Done. [root@probe-p3p1 maintenance]# cd [root@probe-p3p1 ~]#
Update LocalSettings.php
Before starting up the web server, you will want to review your LocalSettings.php file:
- Compare it with the back up you made earlier (/root/LocalSettings.php.working).
- Initially disable any extensions currently configured (you may need to install the extension modules before enabling).
- Review the contents of /usr/share/mediawiki/includes/DefaultSettings.php to see if there are any new settings you need to add.
[root@probe-p3p1 ~]# emacs -nw /var/nst/mediawiki/LocalSettings.php LocalSettings.php.working [root@probe-p3p1 ~]#
Also, for some reason a copy of the LocalSettings.php file also needs to be under the /usr/share/mediawiki (at least for MediaWiki 1.33 and Fedora 30 packaging).
[root@probe-p3p1 ~]# ln /var/nst/mediawiki/LocalSettings.php /usr/share/mediawiki/LocalSettings.php [root@probe-p3p1 ~]#
Restart The Web Service And Test
At this point you should be able to restart the web service and PHP engine and test your installation.
Notes:
- Make sure a php-fpm configuration file exists for the systemd httpd.service unit: "/etc/php-fpm.d/www.conf"
- NST Wiki uses a httpd configuration file: "/etc/httpd/conf.d/nstwiki.conf"
# # This is for the NST Wiki #DocumentRoot "/var/nst/mediawiki" #ServerName wiki.networksecuritytoolkit.org #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" #TransferLog logs/wiki_access_log #ErrorLog logs/wiki_error_log #LogLevel warn BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE # !no-gzip !gzip-only-text/html DeflateFilterNote Input input_info DeflateFilterNote Output output_info DeflateFilterNote Ratio ratio_info LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate CustomLog logs/deflate_log deflate # # NST Wiki entry point... <Directory "/var/nst/mediawiki"> DirectoryIndex index.php Options FollowSymLinks ExecCGI Require all granted AddOutputFilterByType DEFLATE text/html </Directory> # # IP tools areas (fetch public IP address via SHTML - requires Includes directive) <Directory "/var/nst/mediawiki/tools"> Options Includes Require all granted </Directory> Alias /nstwiki "/var/nst/mediawiki" # # NST Repo... <Directory "/var/nst/repo"> Options Indexes Require all granted </Directory> Alias /repo "/var/nst/repo" # # Icons for NST Repo dir listing... <Directory "/var/nst/mediawiki/icons"> Options Indexes MultiViews AllowOverride None </Directory> Alias /icons/ "/var/nst/mediawiki/icons/" <Directory "/usr/share/nst-webgl-globe"> Options -Indexes Require all granted </Directory> Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe"
- Start these services and then check the NST Wiki.
[root@probe-p3p1 ~]# systemctl start httpd.service [root@probe-p3p1 ~]# systemctl restart php-fpm.service [root@probe-p3p1 ~]# [root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki [root@probe-p3p1 ~]#
At this point you should be able to review the contents of the Wiki and determine what is broken (not working) and then try to figure out what you need to do in:
- Examine log files under the /var/log/httpd directory - they will often provide useful clues.
- The /var/nst/mediawiki/LocalSettings.php file (look for new values you might need to override in /usr/share/mediawiki/includes/DefaultSettings.php). Also, consider temporarily enabling the debug logging feature with:
# Uncomment to enable debug log file when trouble shooting $wgDebugLogFile = "/var/log/httpd/debug-wikidb.log";
- Review the /etc/httpd/conf/httpd.conf file.
- Review your mediawiki configuration file under the /etc/httpd/conf.d directory (nstwiki.conf).
Certbot - HTTPS TLS Certificates
Certbot Overview
Certbot is part of EFF's effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
Certbot Installation On NST Wiki - Tips & Modifications
Installing
[root@nst-wiki40 ~]# certbot --help apache usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. options: -h, --help show this help message and exit -c CONFIG_FILE, --config CONFIG_FILE path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini) apache: Apache Web Server plugin --apache-enmod APACHE_ENMOD Path to the Apache 'a2enmod' binary (default: None) --apache-dismod APACHE_DISMOD Path to the Apache 'a2dismod' binary (default: None) --apache-le-vhost-ext APACHE_LE_VHOST_EXT SSL vhost configuration extension (default: -le-ssl.conf) --apache-server-root APACHE_SERVER_ROOT Apache server root directory (default: /etc/httpd) --apache-vhost-root APACHE_VHOST_ROOT Apache server VirtualHost configuration root (default: None) --apache-logs-root APACHE_LOGS_ROOT Apache server logs directory (default: /var/log/httpd) --apache-challenge-location APACHE_CHALLENGE_LOCATION Directory path for challenge configuration (default: /etc/httpd/conf.d) --apache-handle-modules APACHE_HANDLE_MODULES Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False) --apache-handle-sites APACHE_HANDLE_SITES Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False) --apache-ctl APACHE_CTL Full path to Apache control script (default: httpd) --apache-bin APACHE_BIN Full path to apache2/httpd binary (default: None)
Crontab - Certificate Updates
Add the following line to the crontab file: "/etc/crontab" for certbot to attempt to renew the NST Wiki certificate:
[root@nst-wiki40 ~]# cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q