====== Dokuwiki configuration ======
I wanted a place to write both public and semi-private notes for setting things up, documenting my configs, and maybe even a cheap solution for blogging or keeping notes. I used Dokuwiki for work a long time ago, and appreciated its simplicity - no database, just files, and easy to set up and back up. It was good for the shadow IT server I had access to back in 20xx.
Hope this helps for anyone who needs it/
This is a two-host design, assuming a front-end proxy server redirecting to a purpose-built wiki server.
If running a single caddy server, you would replace the ''reverse_proxy'' block in the front-end config with the ''try_files'' and ''php_fastcgi'' blocks from the backend config.
===== High level =====
* Configure DNS A, AAAA and CAA records as needed.
* Install PHP-FPM / php-xml, and modify its config to permit the caddy user.
* Install Caddy where needed, and customize/apply the config.
* Install dokuwiki.
* Connect to the web interface and configure the admin panel.
Note: Details of the PHP-FPM and dokuwiki locations may change depending on distro.
===== DNS configuration =====
Obviously you need a domain name for public access. You need DNS configured before you stand up the front-facing Caddy instance, so it can fetch certificates.
* Add A and AAAA records for your wiki's domain
* Add CAA record: ''0 issue "letsencrypt.org"'' and ''0 issue "sectigo.com"''
===== PHP-FPM configuration =====
* Install php-fpm and php-xml
* Modify ''/etc/php-fpm.d/www.sock''. Set ''listen.acl_users'' to include ''caddy''.
===== Caddy configuration =====
Two caddy servers: One local to serve the wiki, and the public-facing one for public access, TLS and so on.
* Modify caddyfiles as directed at the top of each example.
* Write the caddyfiles. Can write to ''/etc/caddy/Caddyfile'' or to ''/etc/caddy/Caddyfile.d/wiki.caddyfile'' if the include directive is in the root Caddyfile.
* Create ''/var/log/caddy'' and chown to the ''caddy'' user.
* Start the services.
Local caddyfile:
# Edit:
# - Listener port if needed
# - Root directory, if it is different based on distro
# - IPs in not_from_global directive, if used
# - The php socket, depending on the distro used
# Local origin Caddyfile — run on the wiki host
:8080 {
# bind to a specific internal address (optional)
#bind 10.10.0.5
#encode gzip zstd
# Only allow requests from the global proxy IP
@from_global remote_ip 2001:db8::1 192.168.1.1
respond @from_global
# Deny others
#@not_from_global not remote_ip 10.10.0.1
#respond @not_from_global 403
##### Replace reverse proxy config with this block if doing single-server
root * /var/www/dokuwiki
# Serve static files; let PHP handle .php
try_files {path} {path}/ /doku.php
file_server
# PHP handling via unix socket
php_fastcgi unix//run/php-fpm/www.sock
##### end block
# Protect sensitive paths
@forbidden {
path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
}
respond @forbidden 403
header {
# minimal headers for origin (public-facing Caddy will add HSTS)
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
}
log {
output file /var/log/caddy/docs.access.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
}
}
Frontend caddyfile:
# Edit:
# - Domain name
# - IPs in the @install_blocked section to include your public IP addresses
# for first configuration
# - Backend IP address
wiki.example.com {
encode gzip zstd
# Security headers
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(),geolocation=(), payment=(), usb=(), interest-cohort=()"
Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
}
# Block sensitive files (edge defense)
@forbidden {
path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
}
respond @forbidden 403
@install_blocked {
path /install.php
not remote_ip 2001:db8::1 127.0.0.1
}
respond @install_blocked 403
##### Replace this block with portions of the local file if running a single server
# Main proxy to local origin (keepalive/reuse)
# IPv6 addresses need to be in brackets when matched with a port or as a URL
reverse_proxy [2001:db8::2]:8080 {
transport http {
# tune timeouts if needed
read_buffer 32kb
}
}
##### end block
# Optional: limit request body size (protect against large uploads)
request_body {
max_size 50mb
}
# Optional logging (adjust to your logging system)
log {
output file /var/log/caddy/caddy-docs.log {
roll_size 10mb
roll_keep 5
roll_keep_for 720h
}
}
}
===== SELinux Config =====
If you are running on Fedora or some other system with SELinux, you may need:
''sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/dokuwiki(/data|/conf|/lib/(plugins|tpl))(/.*)?"''
''sudo restorecon -R /var/www/dokuwiki''
SELinux is whack.
===== Dokuwiki Installation=====
Note: It is STRONGLY recommended to use the packages from https://www.dokuwiki.org. Distro packages vary, and sometimes install an open wiki by default that doesn't have the installer to help bootstrapping.
* Extract dokuwiki to ''/var/www/dokuwiki''
* Change permissions so caddy can read: ''chmod -R caddy /var/www/dokuwiki''
* Go to the site and run install. Must hit the backend server, or have set the proper address in the front-end server.
* Disable user registration unless needed
* Delete install.php after inital run
* Optional: In Config options, set ''userewrite'' to DokuWiki Internal
* Optional but recommended: Disable old revisions to prevent possible leaks of data that has been edited out.
===== Dokuwiki Backup =====
To backup, take a copy/zip of the entire ''/var/www/dokuwiki/'' directory, omitting or first deleting:
''data/cache/, data/tmp/, data/locks/, data/index/''