Dokuwiki configuration

I wanted a place to write both public and semi-private notes for setting things up, documenting my configs, and maybe even a cheap solution for blogging or keeping notes. I used Dokuwiki for work a long time ago, and appreciated its simplicity - no database, just files, and easy to set up and back up. It was good for the shadow IT server I had access to back in 20xx.

Hope this helps for anyone who needs it/

This is a two-host design, assuming a front-end proxy server redirecting to a purpose-built wiki server.

If running a single caddy server, you would replace the reverse_proxy block in the front-end config with the try_files and php_fastcgi blocks from the backend config.

• Configure DNS A, AAAA and CAA records as needed.
• Install PHP-FPM / php-xml, and modify its config to permit the caddy user.
• Install Caddy where needed, and customize/apply the config.
• Install dokuwiki.
• Connect to the web interface and configure the admin panel.

Note: Details of the PHP-FPM and dokuwiki locations may change depending on distro.

Obviously you need a domain name for public access. You need DNS configured before you stand up the front-facing Caddy instance, so it can fetch certificates.

• Add A and AAAA records for your wiki's domain
• Add CAA record: 0 issue “letsencrypt.org” and 0 issue “sectigo.com”

• Install php-fpm and php-xml
• Modify /etc/php-fpm.d/www.sock. Set listen.acl_users to include caddy.

Two caddy servers: One local to serve the wiki, and the public-facing one for public access, TLS and so on.

• Modify caddyfiles as directed at the top of each example.
• Write the caddyfiles. Can write to /etc/caddy/Caddyfile or to /etc/caddy/Caddyfile.d/wiki.caddyfile if the include directive is in the root Caddyfile.
• Create /var/log/caddy and chown to the caddy user.
• Start the services.

Local caddyfile:

# Edit:
# - Listener port if needed
# - Root directory, if it is different based on distro
# - IPs in not_from_global directive, if used
# - The php socket, depending on the distro used

# Local origin Caddyfile — run on the wiki host
:8080 {
        # bind to a specific internal address (optional)
        #bind 10.10.0.5
        #encode gzip zstd

        # Only allow requests from the global proxy IP
        @from_global remote_ip 2001:db8::1 192.168.1.1
        respond @from_global

        # Deny others
        #@not_from_global not remote_ip 10.10.0.1
        #respond @not_from_global 403
        
        ##### Replace reverse proxy config with this block if doing single-server
        
        root * /var/www/dokuwiki
        
        # Serve static files; let PHP handle .php
        try_files {path} {path}/ /doku.php
        
        file_server

        # PHP handling via unix socket
        php_fastcgi unix//run/php-fpm/www.sock
        
        ##### end block

        # Protect sensitive paths
        @forbidden {
                path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
        }
        respond @forbidden 403

        header {
                # minimal headers for origin (public-facing Caddy will add HSTS)
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
        }

        log {
                output file /var/log/caddy/docs.access.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 720h
                }
        }
}

Frontend caddyfile:

# Edit:
# - Domain name
# - IPs in the @install_blocked section to include your public IP addresses
#   for first configuration
# - Backend IP address


wiki.example.com {
        encode gzip zstd

        # Security headers
        header {
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                X-Content-Type-Options "nosniff"
                X-Frame-Options "DENY"
                Referrer-Policy "strict-origin-when-cross-origin"
                Permissions-Policy "camera=(), microphone=(),geolocation=(), payment=(), usb=(), interest-cohort=()"
                Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
        }

        # Block sensitive files (edge defense)
        @forbidden {
                path /.ht* /conf/* /data/* /bin/* /inc/* /vendor/*
        }
        respond @forbidden 403

        @install_blocked {
                path /install.php
                not remote_ip 2001:db8::1 127.0.0.1
        }
        respond @install_blocked 403
        
        ##### Replace this block with portions of the local file if running a single server

        # Main proxy to local origin (keepalive/reuse)
        # IPv6 addresses need to be in brackets when matched with a port or as a URL
        reverse_proxy [2001:db8::2]:8080 {

                transport http {
                        # tune timeouts if needed
                        read_buffer 32kb
                }
        }
        
        ##### end block

        # Optional: limit request body size (protect against large uploads)
        request_body {
                max_size 50mb
        }

        # Optional logging (adjust to your logging system)
        log {
                output file /var/log/caddy/caddy-docs.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 720h
                }
        }
}

If you are running on Fedora or some other system with SELinux, you may need:

sudo semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/dokuwiki(/data|/conf|/lib/(plugins|tpl))(/.*)?”

sudo restorecon -R /var/www/dokuwiki

SELinux is whack.

Note: It is STRONGLY recommended to use the packages from https://www.dokuwiki.org. Distro packages vary, and sometimes install an open wiki by default that doesn't have the installer to help bootstrapping.

• Extract dokuwiki to /var/www/dokuwiki
• Change permissions so caddy can read: chmod -R caddy /var/www/dokuwiki
• Go to the site and run install. Must hit the backend server, or have set the proper address in the front-end server.
  • Disable user registration unless needed
  • Delete install.php after inital run
• Optional: In Config options, set userewrite to DokuWiki Internal
• Optional but recommended: Disable old revisions to prevent possible leaks of data that has been edited out.

To backup, take a copy/zip of the entire /var/www/dokuwiki/ directory, omitting or first deleting:

data/cache/, data/tmp/, data/locks/, data/index/