* Añadidas funciones para instalar MediaWiki

* Añadidos ficheros de configuración de MediaWiki para Nginx

etc/nginx-debian/sites-available/mediawiki-ssl.conf

@@ -0,0 +1,86 @@
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name localhost;
+	# Redirect HTTP to HTTPS
+	return 301 https://$host$request_uri;
+}
+
+server {
+	# SSL configuration
+	#
+	listen 443 ssl;
+	listen [::]:443;
+    ssl_certificate /etc/letsencrypt/live/wiki.castanedo.es/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/wiki.castanedo.es/privkey.pem; # managed by Certbot
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/wiki;
+
+	# Add index.php to the list if you are using PHP
+	index index.php index.html index.htm;
+
+	server_name localhost;
+
+	access_log /var/log/nginx/wiki-access.log;
+	error_log /var/log/nginx/wiki-error.log;
+
+	# Activate HSTS (HTTP Strict Transport Security)
+	# Note: reinclude if in a location a header is set
+	include snippets/hsts.conf;
+
+	# Allow favicon.ico, robots.txt, .well-known/
+	# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+	include snippets/allowed.conf;
+	include snippets/denied.conf;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+		error_page 404 = @mediawiki;
+	}
+	# Rewrite for Short-URL
+	location @mediawiki {
+		rewrite ^/wiki([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.2-fpm:
+		fastcgi_pass unix:/run/php/php7.2-fpm.sock;
+	}
+	
+	# Disable php in /images/ (security)
+	location ^~ /images/ {
+		#Served like static files
+	}
+	# Deny access to deleted images folder
+	location ^~ /images/deleted/ {
+		deny all;
+	}
+	# Deny access to MediaWiki dirs
+	location ^~ /cache/ { deny all; }
+	location ^~ /languages/ { deny all; }
+	location ^~ /maintenance/ { deny all; }
+	location ^~ /serialized/ { deny all; }
+	location ^~ /mw-config/ { deny all; }
+	# Deny .svn and .git
+	location ~ /.(svn|git)(/|$) { deny all; }
+}
+

etc/nginx-debian/sites-available/mediawiki.conf

@@ -0,0 +1,63 @@
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	root /var/www/wiki;
+
+	# Add index.php to the list if you are using PHP
+	index index.php index.html index.htm;
+
+	server_name localhost;
+
+	access_log /var/log/nginx/wiki-access.log;
+	error_log /var/log/nginx/wiki-error.log;
+
+	# Activate HSTS (HTTP Strict Transport Security)
+	# Note: reinclude if in a location a header is set
+	include snippets/hsts.conf;
+
+	# Allow favicon.ico, robots.txt, .well-known/
+	# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+	include snippets/allowed.conf;
+	include snippets/denied.conf;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+		error_page 404 = @mediawiki;
+	}
+	# Rewrite for Short-URL
+	location @mediawiki {
+		rewrite ^/wiki([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.2-fpm:
+		fastcgi_pass unix:/run/php/php7.2-fpm.sock;
+	}
+	
+	# Disable php in /images/ (security)
+	location ^~ /images/ {
+		#Served like static files
+	}
+	# Deny access to deleted images folder
+	location ^~ /images/deleted/ {
+		deny all;
+	}
+	# Deny access to MediaWiki dirs
+	location ^~ /cache/ { deny all; }
+	location ^~ /languages/ { deny all; }
+	location ^~ /maintenance/ { deny all; }
+	location ^~ /serialized/ { deny all; }
+	location ^~ /mw-config/ { deny all; }
+	# Deny .svn and .git
+	location ~ /.(svn|git)(/|$) { deny all; }
+}
+

etc/nginx-debian/snippets/allowed.conf

@@ -0,0 +1,17 @@
+# Allow favicon.ico, robots.txt, .well-known/
+location = /favicon.ico {
+	log_not_found off;
+	access_log off;
+}
+
+location = /robots.txt {
+	allow all;
+	log_not_found off;
+	access_log off;
+}
+
+# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)
+location ~* ^/.well-known/ {
+	auth_basic off;
+	allow all;
+}

etc/nginx-debian/snippets/denied.conf

@@ -0,0 +1,26 @@
+# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+
+# Not allow txt or logs to be downloaded
+location ~* \.(txt|log)$ {
+	deny all;
+}
+
+# Not allow execute php in hidden folders
+location ~ \..*/.\.php$ {
+	return 403;
+}
+
+# Not allow "hidden files"
+location ~ (^|/)\. {
+	return 403;
+}
+
+# Not allow *.json or *.lock
+location ~* \.(json|lock)$ {
+	return 403;
+}
+
+# Deny *.ht
+location ~ /\.ht {
+	deny all;
+}

etc/nginx-debian/snippets/hsts.conf

@@ -0,0 +1,4 @@
+# Activate HSTS (HTTP Strict Transport Security)
+# Note: if we set another header in a location we've to
+#       rewrite it
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

etc/nginx-rhel/sites-available/mediawiki-ssl.conf

@@ -0,0 +1,86 @@
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name localhost;
+	# Redirect HTTP to HTTPS
+	return 301 https://$host$request_uri;
+}
+
+server {
+	# SSL configuration
+	#
+	listen 443 ssl;
+	listen [::]:443;
+    ssl_certificate /etc/letsencrypt/live/wiki.castanedo.es/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/wiki.castanedo.es/privkey.pem; # managed by Certbot
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/wiki;
+
+	# Add index.php to the list if you are using PHP
+	index index.php index.html index.htm;
+
+	server_name localhost;
+
+	access_log /var/log/nginx/wiki-access.log;
+	error_log /var/log/nginx/wiki-error.log;
+
+	# Activate HSTS (HTTP Strict Transport Security)
+	# Note: reinclude if in a location a header is set
+	include snippets/hsts.conf;
+
+	# Allow favicon.ico, robots.txt, .well-known/
+	# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+	include snippets/allowed.conf;
+	include snippets/denied.conf;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+		error_page 404 = @mediawiki;
+	}
+	# Rewrite for Short-URL
+	location @mediawiki {
+		rewrite ^/wiki([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.2-fpm:
+		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+	}
+	
+	# Disable php in /images/ (security)
+	location ^~ /images/ {
+		#Served like static files
+	}
+	# Deny access to deleted images folder
+	location ^~ /images/deleted/ {
+		deny all;
+	}
+	# Deny access to MediaWiki dirs
+	location ^~ /cache/ { deny all; }
+	location ^~ /languages/ { deny all; }
+	location ^~ /maintenance/ { deny all; }
+	location ^~ /serialized/ { deny all; }
+	location ^~ /mw-config/ { deny all; }
+	# Deny .svn and .git
+	location ~ /.(svn|git)(/|$) { deny all; }
+}
+

etc/nginx-rhel/sites-available/mediawiki.conf

@@ -0,0 +1,63 @@
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	root /var/www/wiki;
+
+	# Add index.php to the list if you are using PHP
+	index index.php index.html index.htm;
+
+	server_name localhost;
+
+	access_log /var/log/nginx/wiki-access.log;
+	error_log /var/log/nginx/wiki-error.log;
+
+	# Activate HSTS (HTTP Strict Transport Security)
+	# Note: reinclude if in a location a header is set
+	include snippets/hsts.conf;
+
+	# Allow favicon.ico, robots.txt, .well-known/
+	# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+	include snippets/allowed.conf;
+	include snippets/denied.conf;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+		error_page 404 = @mediawiki;
+	}
+	# Rewrite for Short-URL
+	location @mediawiki {
+		rewrite ^/wiki([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last;
+	}
+
+	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	#
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+	#	# With php7.0-cgi alone:
+	#	fastcgi_pass 127.0.0.1:9000;
+	#	# With php7.2-fpm:
+		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+	}
+	
+	# Disable php in /images/ (security)
+	location ^~ /images/ {
+		#Served like static files
+	}
+	# Deny access to deleted images folder
+	location ^~ /images/deleted/ {
+		deny all;
+	}
+	# Deny access to MediaWiki dirs
+	location ^~ /cache/ { deny all; }
+	location ^~ /languages/ { deny all; }
+	location ^~ /maintenance/ { deny all; }
+	location ^~ /serialized/ { deny all; }
+	location ^~ /mw-config/ { deny all; }
+	# Deny .svn and .git
+	location ~ /.(svn|git)(/|$) { deny all; }
+}
+

etc/nginx-rhel/snippets/allowed.conf

@@ -0,0 +1,17 @@
+# Allow favicon.ico, robots.txt, .well-known/
+location = /favicon.ico {
+	log_not_found off;
+	access_log off;
+}
+
+location = /robots.txt {
+	allow all;
+	log_not_found off;
+	access_log off;
+}
+
+# Allow "Well-Known URIs" as pwe RFC 5785 (e.g. Let's Encrypt)
+location ~* ^/.well-known/ {
+	auth_basic off;
+	allow all;
+}

etc/nginx-rhel/snippets/denied.conf

@@ -0,0 +1,26 @@
+# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
+
+# Not allow txt or logs to be downloaded
+location ~* \.(txt|log)$ {
+	deny all;
+}
+
+# Not allow execute php in hidden folders
+location ~ \..*/.\.php$ {
+	return 403;
+}
+
+# Not allow "hidden files"
+location ~ (^|/)\. {
+	return 403;
+}
+
+# Not allow *.json or *.lock
+location ~* \.(json|lock)$ {
+	return 403;
+}
+
+# Deny *.ht
+location ~ /\.ht {
+	deny all;
+}

etc/nginx-rhel/snippets/hsts.conf

@@ -0,0 +1,4 @@
+# Activate HSTS (HTTP Strict Transport Security)
+# Note: if we set another header in a location we've to
+#       rewrite it
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

install

@@ -135,6 +135,12 @@ comprobarError() {
 		501)
 			error="\n$type $codeNum:\tImposible descargar MediaWiki-1.31.0.\n"
 			;;
+		502)
+			error="\n$type $codeNum:\tImposible configurar MediaWiki-1.31.0.\n"
+			;;
+		503)
+			error="\n$type $codeNum:\tImposible configurar Base de Datos para MediaWiki-1.31.0.\n"
+			;;
 		601)
 			error="\n$type $codeNum:\tImposible descargar Moodle-3.5.1.\n"
 			;;
@@ -448,6 +454,7 @@ inicializarVariables() {
 	actualizacionesOn=false
 	progreso=0
 	progresoTotal=0
+	hostname=""
 	logFile="./."$(basename $0)".log"
 	maxUpload="100M"
 	webServerName=""
@@ -455,6 +462,7 @@ inicializarVariables() {
 	webServerGroup=""
 	sqlServerName=""
 	phpFPMName=""
+	dominioMediaWiki=""
 }
 
 instalacionExpress() {
@@ -550,6 +558,7 @@ mostrarComponentes() {
 				;;
 			\"MediaWiki\")
 				mediaWikiOn=true
+				mostrarMediaWiki
 				progresoTotal=$((progresoTotal + 2))
 				;;
 			\"Moodle\")
@@ -594,6 +603,15 @@ mostrarSSL() {
 	done
 }
 
+mostrarMediaWiki(){
+	# Introducir dominio
+	while [ -z $dominioMediaWiki ]; do
+		dominioMediaWiki=$(whiptail --title "CONFIGURACION MEDIAWIKI" --inputbox "Introduzca el dominio/subdominio para MediaWiki.\nTenga en cuenta que debes apuntar este a la dirección IP de esta máquina mediante un registro DNS tipo CNAME." $((ALTO * 9 / 10)) $((ANCHO * 9 / 10)) wiki.$hostname --ok-button "Continuar" --cancel-button "Salir" 3>&1 1>&2 2>&3)
+		comprobarError $? 1
+		# Mejora: comprobar si el dominio ya está en uso
+	done
+}
+
 establecerFQDN() {
 	while [ -z $hostname ]; do
 		hostname=$(whiptail --title "FQDN" --inputbox "El nombre de dominio principal (FQDN) de este servidor es:\n"$(hostname)"\n\nQuieres cambiarlo por otro?" $((ALTO * 9 / 10)) $((ANCHO * 9 / 10)) --ok-button "Cambiar" --cancel-button "No Cambiar" 3>&1 1>&2 2>&3)
@@ -704,13 +722,17 @@ configurarNginx() {
 
 instalarVirtualHost() {
 	# Configuramos un Virtual Host para Apache o Nginx
-	# Uso: instalarVirtualHost $virtualHost
-	if [ $# -ne 1 ];then
+	# Uso: instalarVirtualHost $virtualHost $virtualHostName
+	webServerRoot=$(realpath "/etc/$webServerName/")
+	if [ $# -eq 1 ];then
+		virtualHost=$(realpath $1)
+		virtualHostName=$(basename $virtualHost)
+	elif [ $# -eq 2 ];then
+		virtualHost=$(realpath $1)
+		virtualHostName=$2
+	else
 		comprobarError 1 908
 	fi
-	webServerRoot=$(realpath "/etc/$webServerName/")
-	virtualHost=$(realpath $1)
-	virtualHostName=$(basename $virtualHost)
 	if [ ! -f $virtualHost ];then
 		comprobarError 1 909 $virtualHostName
 	fi
@@ -1156,7 +1178,41 @@ configurarMediaWiki() {
 	chown -R $webServerUser:$webServerGroup /var/www/wiki
 	comprobarError $? 502
 	# Creamos DataBase
+	crearDBMediaWiki
+	# Configuramos LocalSettings.php
 	# Configuramos VirtualHost
+	if [ $nginxOn = true ] && [ $debianOS = true ] && [ $sslOn = false ]; then
+		virtualHost="./etc/nginx-debian/sites-available/mediawiki.conf"
+	elif [ $nginxOn = true ] && [ $debianOS = true ] && [ $sslOn = true ]; then
+		virtualHost="./etc/nginx-debian/sites-available/mediawiki-ssl.conf"
+	elif [ $nginxOn = true ] && [ $rhelOS = true ] && [ $sslOn = false ]; then
+		virtualHost="./etc/nginx-rhel/sites-available/mediawiki.conf"
+	elif [ $nginxOn = true ] && [ $rhelOS = true ] && [ $sslOn = true ]; then
+		virtualHost="./etc/nginx-rhel/sites-available/mediawiki-ssl.conf"
+	fi
+	if [ ! -f $virtualHost ];then
+		comprobarError $? 502
+	fi
+	instalarVirtualHost $virtualHost $dominioMediWiki
+	unset virtualHost
+}
+
+crearDBMediaWiki() {
+	# Creamos una base de datos para MediaWiki
+	dbDir="./etc/db"
+	if [ ! -d $dbDir ];then
+		mkdir $dbDir 2>/dev/null
+		comprobarError $? 503
+	fi
+	dbFile=$dbDir"/mediawiki.sql"
+	echo -en "CREATE DATABASE $dominioMediaWiki;\n" > $dbFile
+	echo -en "GRANT ALL PRIVILEGES ON $dominioMediaWiki.* TO '$dominioMediaWiki'@'localhost' IDENTIFIED BY '$sqlPasswd';\n" >> $dbFile
+	mysql -u root --password=$sqlPasswd < $dbFile
+	control=$?
+	rm -f $dbFile 2>/dev/null
+	comprobarError $? 503
+	comprobarError $control 503
+	unset control
 }
 
 descargarMoodle() {