Notes from Zeropolis

User Tools

Site Tools

Trace: dokuwiki
tech:dokuwiki

Table of Contents

Dokuwiki configuration

This is targeted to a single-user or low-multi-user dokuwiki installation.

This is a two-host design, assuming a front-end proxy server redirecting to a purpose-built wiki server.

If running a single caddy server, you would replace the reverse_proxy block in the front-end config with the try_files and php_fastcgi blocks from the backend config.

High level

  • Configure DNS A, AAAA and CAA records as needed.
  • Install PHP-FPM, and modify its config to permit the caddy user.
  • Install Caddy where needed, and customize/apply the config.
  • Install dokuwiki.
  • Connect to the web interface and configure the admin panel.

Note: Details of the PHP-FPM and dokuwiki locations may change depending on distro.

DNS configuration

Obviously you need a domain name for public access. You need DNS configured before you stand up the front-facing Caddy instance, so it can fetch certificates.

  • Add A and AAAA records for your wiki's domain
  • Add CAA record: 0 issue “letsencrypt.org” and 0 issue “sectigo.com”

PHP-FPM configuration

Modify /etc/php-fpm.d/www.sock. Set listen.acl_users to include caddy.

Caddy configuration

Two caddy servers: One local to serve the wiki, and the public-facing one for public access, TLS and so on.

  • Modify caddyfiles as directed at the top of each example.
  • Write the caddyfiles. Can write to /etc/caddy/Caddyfile or to /etc/caddy/Caddyfile.d/wiki.caddyfile if the include directive is in the root Caddyfile.
  • Make sure /var/log/caddy is created and that it is owned by the caddy user.
  • Start the services.

Local caddyfile: 

# Edit:
# - Listener port if needed
# - Root directory, if it is different based on distro
# - IPs in not_from_global directive, if used
# - The php socket, depending on the distro used

# Local origin Caddyfile — run on the wiki host
:8080 {
        # bind to a specific internal address (optional)
        #bind 10.10.0.5
        #encode gzip zstd

        # Only allow requests from the global proxy IP
        @from_global remote_ip 2001:db8::1 192.168.1.1
        respond @from_global

        # Deny others
        #@not_from_global not remote_ip 10.10.0.1
        #respond @not_from_global 403
        
        ##### Replace reverse proxy config with this block if doing single-server
        
        root * /var/www/dokuwiki
        
        # Serve static files; let PHP handle .php
        try_files {path} {path}/ /doku.php
        
        file_server

        # PHP handling via unix socket
        php_fastcgi unix//run/php-fpm/www.sock
        
        ##### end block

        # Protect sensitive paths
        @forbidden {
                path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
        }
        respond @forbidden 403

        header {
                # minimal headers for origin (public-facing Caddy will add HSTS)
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
        }

        log {
                output file /var/log/caddy/docs.access.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 720h
                }
        }
}

Frontend caddyfile: 

# Edit:
# - Domain name
# - IPs in the @install_blocked section to include your public IP addresses
#   for first configuration
# - Backend IP address
# Note: IPv6 addresses must be enclosed in brackets

wiki.example.com {
        encode gzip zstd

        # Security headers
        header {
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
                Referrer-Policy "strict-origin-when-cross-origin"
                Permissions-Policy "camera=(), microphone=(),geolocation=(), payment=(), usb=(), interest-cohort=()"
                Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
        }

        # Block sensitive files (edge defense)
        @forbidden {
                path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
        }
        respond @forbidden 403

        @install_blocked {
                path /install.php
                not remote_ip 2001:db8::1 127.0.0.1
        }
        respond @install_blocked 403

        # Main proxy to local origin (keepalive/reuse)
        # IPv6 addresses need to be in brackets when matched with a port or as a URL
        reverse_proxy [2001:db8::2]:8080 {
                transport http {
                        # tune timeouts if needed
                        read_buffer 32kb
                }
        }

        # Optional: limit request body size (protect against large uploads)
        request_body {
                max_size 50mb
        }

        # Optional logging (adjust to your logging system)
        log {
                output file /var/log/caddy/caddy-docs.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 720h
                }
        }
}

Dokuwiki Installation

  • Extract dokuwiki to /var/www/dokuwiki
  • Change permissions so caddy can read: chmod -R caddy /var/www/dokuwiki
  • Go to the site and run install. Must hit the backend server, or have set the proper address in the front-end server.
    • Disable user registration unless needed
    • Delete install.php after inital run
  • Optional: In Config options, set userewrite to DokuWiki Internal
  • Optional but recommended: Disable old revisions to prevent possible leaks of data that has been edited out.

Dokuwiki Backup

To backup, take a copy/zip of the entire /var/www/dokuwiki/ directory, omitting or first deleting:

data/cache/, data/tmp/, data/locks/, data/index/

tech/dokuwiki.txt · Last modified: by webmaster · Currently locked by: webmaster