SSL & Proxy configurations

[DelfrCorp]

I am relatively new to GitHub and even newer to Wiki.js & struggled for several hours to properly configure port 80 and 443 proxying to get the wiki my colleague built for our company to automatically work with port 80 & 443 and automatically redirect to port 443 and have it work properly with the wiki node proxy.

I would like to suggest a quick addition of a full proper nginx config (example below) and the config.yml changes to tie the wiki node to the nginx over SSL. Oure wiki node was configured for port 8080. Configuring the node for port 80 or 443 will cause a service failure on the configured port.

I ran

node wiki configure 8080

Changed the Nginx config with the following parameters:

server {
    listen 80;
    server_name wiki.mydomain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name wiki.mydomain.tld;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers on;

    ssl_certificate /path/to/ssl/certificate/wiki.mydomain.tld.cer;
    ssl_certificate_key /path/to/private/key/wiki.mydomain.tld.key;
    ssl_trusted_certificate /path/to/my/chain/certificate/chain.cer;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_next_upstream error timeout http_502 http_503 http_504;
    }
}

changed the host in config.yml from http:// to https:// and made sure to still set the port to 8080

title: My Wiki Title
host: 'https://wiki.mydomain.tld'
port: 8080

[asnyder]

Surprised this isn't already in the docs considering how HTTPS is now enforced via Chrome. Not having the wiki be able to use a cert out of the box without having to do this config seems like an oversight.

Further the docker image has no setting for SSL certs or keys. So we were unable to use Google Auth in our Docker WikiJS which spooled up nicely, and forced us to create an EC2 instance and actually manually install and configure in the above approach so we can maintain HTTPS and our google auth workflow which requires verified HTTPS.

[DelfrCorp]

Glad this helped. I have further built onto my initial nginx ssl config to add HSTS to it.
This is only to be used if you have a valid trusted certificate. I am in the process of provisioning our entire infrastructure with certificates using the Let's Encrypt free trusted certificate and automated certificate renewal processes using the DNS ACME method.

HSTS configuration example below:

server {
    listen 80;
    server_name wiki.mydomain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name wiki.mydomain.tld;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_prefer_server_ciphers on;

    ssl_certificate /path/to/ssl/certificate/wiki.mydomain.tld.cer;
    ssl_certificate_key /path/to/private/key/wiki.mydomain.tld.key;
    ssl_trusted_certificate /path/to/my/chain/certificate/chain.cer;

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_next_upstream error timeout http_502 http_503 http_504;
    }
}

[NGPixel]

@asnyder You don't need a reverse proxy to support SSL. Wiki.js supports it natively (check the sample config.yml file). Also, you can easily mount a custom config file and other certs you might need to a docker container.

[DelfrCorp]

Those are the steps I had to take for a CentOS 7 VM install for the v1 of the wiki. It may be that v2 introduced native ssl support but we were waiting for it to be considered stable before upgrading. We are planning to do so in the coming weeks.

[applecrusher]

@NGPixel Thank you for all the hard work you have done on this repository. I am using version 1 and this new revision looks awesome. The docker container is a nice and easy install, but SSL has been a problem for me as well. I would greatly appreciate more information/documentation on how to mount a persistent custom config file and other certs into this particular docker container for use. Thank you.

[applecrusher]

Since this time, I wrote how to integrate the WikiJS2 docker with SSL here on my personal website using a nginx reverse proxy and a docker letsencrypt nginx proxy companion. Feedback would be appreciated. @NGPixel please feel free to share or use if you think this is useful.

There is also a much more detailed article on SSDNodes, here