Manual:HTTPS/cs

From Linux Web Expert

MediaWiki podporuje smíšenou komunikaci jak protokolem HTTP, tak HTTPS, ovšem zhruba od roku 2020 je v souladu s obecně osvědčenými webovými postupy komunikace přes HTTP postupně omezována, a je doporučeno, aby weby komunikovaly pouze prostřednictvím protokolu HTTPS. Komunikace přes HTTP se nijak nešifruje. Posílá se čistý text, který může být kdekoli na trase odposloucháván, takže může dojít k odcizení uživatelského hesla, převzetí uživatelské session nebo tzv. man-in-the-middle útokem může být uživatel nevědomky přesměrován na falešnou stránku. HTTPS je šifrovaná, a prohlížeč si během ní identitu serveru průběžně ověřuje.

Wiki komunikující výhradně přes HTTPS

  • Set $wgForceHTTPS to true; this will redirect all HTTP requests to HTTPS, and set the secure flag on all cookies.
  • If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect. You might also need to set $wgInternalServer , for the benefit of extensions which cause MediaWiki make web requests to itself.
  • Let's Encrypt can provide for free the certificates needed for setting up your site to serve HTTPS
  • Consider enabling strict transport security in your web server, to prevent browsers from being tricked into visiting the site over HTTP and falling victim to phishing attacks.
  • Configuring HTTPS protocol details can be tricky; there are a number of automated audits such as Qualys. SSL Labs' test that can analyse your website and give you advice.

Wiki komunikující oběma protokoly

A mixed-protocol wiki can be accessed via both HTTP and HTTPS. This is inherently insecure, as HTTP connections can be monitored by third parties, who track what your users do, or steal authentication cookies and temporarily take over user accounts. You will need to set $wgServer to a protocol-relative URL and set $wgCanonicalServer to an absolute URL (up to you whether it is the HTTP or HTTPS one).

  • If you enable $wgSecureLogin , MediaWiki will do its best in this scenario to protect passwords, at least, by forcing users to HTTPS for the duration of their login. Users will be able to set in their preferences (prefershttps user preference) and during login that they prefer HTTPS, in which case they get automatically redirected as if $wgForceHTTPS were enabled.
  • If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header X-Forwarded-Proto: https should be set on such requests to suppress the redirect.

Wiki komunikující výhradně přes HTTP

This requires no extra configuration, but is strongly recommended against as it is even more insecure than a mixed-protocol wiki.

Další příbuzné háčky a konfigurační volby

  • $wgCookieSecure - for forcing cookies to be HTTPS-only. There shouldn't be any need to change the default value.
  • $wgVaryOnXFP - for setting the appropriate Vary header; might be needed for proxies/CDNs.
  • CanIPUseHTTPS <translate> (deprecated in <tvar name=2>1.35</tvar>)</translate> - for forcing HTTP for certain IP ranges (intended for traffic from countries where HTTPS communication is blocked).
  • UserRequiresHTTPS <translate> (deprecated in <tvar name=2>1.35</tvar>)</translate> - for forcing HTTPS for certain users.
  • BeforeHttpsRedirect <translate> (deprecated in <tvar name=2>1.35</tvar>)</translate> - called before redirecting from HTTP to HTTPS, can alter or prevent the redirect.
  • $wgHttpsPort - for using a non-standard HTTP port.
  • HTTPS-specific features of MediaWiki can be tested in MediaWiki-Vagrant by enabling the https role.
  • For information about the HTTPS-related configuration of Wikimedia websites, see the HTTPS page on Wikitech.