Info

Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.

• An entry for Raspberry Pi monitor pages local http (80)
• An entry for thw Pi-hole pages local http (80)
• MediaWiki on https (443). Force secure SSL login.
• SOGo only on https (443) redirect http (80) to https (443)

Configuration (Raspberry Pi)

Disable default SOGo configuration of Apache:

sudo mv /etc/apache2/conf.d/SOGo.conf /etc/apache2/conf.d/SOGo.conf.backup

Create new configuration in 'sites-available':

sudo nano /etc/apache2/sites-available/raspberrypi.conf

SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 

ServerName wilbertvolkers.linkpc.net

# ACME challenge ###################

Listen 8080
<VirtualHost _default_:8080>
 Alias "/.well-known/acme-challenge" "/var/www/acme-challenge"
 <Directory /var/www/acme-challenge>
	AllowOverride None
	Require all granted
	ServerSignature Off
 </Directory>
</VirtualHost>

# Local port 80 ####################

<VirtualHost _default_:80>

 #DocumentRoot /var/www/docroot/

 #pi-hole admin via http
 Alias /admin/ /var/www/html/admin/
 <Directory /var/www/html/admin/>
  AllowOverride None
  Require all granted
 </Directory>
 Alias /pihole/ /var/www/html/pihole/
 <Directory /var/www/html/pihole/>
  AllowOverride None
  Require all granted
 </Directory>

 #RPi-monitor
 Alias /rpimonitor/ /usr/share/rpimonitor/web/
 <Directory /usr/share/rpimonitor/web/>
  AllowOverride None
  Require all granted
 </Directory>

</VirtualHost>

# HTTPS/SSL port 443 ################

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

<VirtualHost _default_:443>
 #Mediawiki / SOGo
 Servername wilbertvolkers.linkpc.net
 ServerAdmin admin@wilbertvolkers.linkpc.net

 #DocumentRoot /var/www/docroot/

 SSLEngine On
 #SSLOptions +StrictRequire
 # Note: +SSLv3 not supported by this version of OpenSSL
 # SSLProtocol -all +TLSv1
 # Support only for strong cryptography:
 #SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
 SSLSessionCacheTimeout 600 
 SSLVerifyClient none 
 SSLProxyEngine off
 
 SSLCertificateFile /etc/apache2/ssl/server.cer
 SSLCertificateKeyFile /etc/apache2/ssl/server.key

 ServerSignature Off

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 
 #enable debug info to solve problems
 #http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
 #LogLevel debug

 # MediaWiki ###################
 
 Alias "/mediawiki" "/var/www/mediawiki"
 <Directory /var/www/mediawiki>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>

 # MediaWiki security manual
 php_flag register_globals off
 
 <Directory /var/www/mediawiki/images>
	# Ignore .htaccess files
	AllowOverride None
	# Serve HTML as plaintext, don't execute SHTML
	AddType text/plain .html .htm .shtml .php .phtml .php5
	# Don't run arbitrary PHP code.
	php_admin_flag engine off
 </Directory>

 <Directory /var/www/mediawiki/images/deleted>
	Deny from all
	AllowOverride AuthConfig Limit
	Require local
 </Directory>
 
 <Directory /var/www/mediawiki/cache>
	Deny from all
	AllowOverride AuthConfig Limit
	Require local
 </Directory>

# SOGo ########################

 <IfModule mpm_itk_module>
	AssignUserId sogo-a sogo-a
 </IfModule>
 Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
 <Directory /usr/lib/GNUstep/SOGo/>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>
 <LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
	SetHandler default-handler
 </LocationMatch>
 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
 ProxyPreserveHost On
 ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
 <Proxy http://127.0.0.1:20000/SOGo>
	RequestHeader set "x-webobjects-server-port" "443"
	RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
	RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
	RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
	RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
	AddDefaultCharset UTF-8
	Require all granted
 </Proxy>

 # use mod_rewrite to pass remote address to the SOGo proxy.
 # The remote address will appear in SOGo's log files and in the X-Forward
 # header of emails.
 RewriteEngine On
 RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>

Enable Apache modules and website

Enable needed Apache2 modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
sudo a2enmod ssl
sudo service apache2 restart

Enable the site:

sudo a2ensite wilbertvolkers.linkpc.net
sudo service apache2 reload

To test if everything is working go to:

• https://wilbertvolkers.linkpc.net/SOGo
• https://wilbertvolkers.linkpc.net/mediawiki
• http://192.168.1.2/admin/
• http://192.168.1.2/rpimonitor/status.html

See also

• SOGo
• MediaWiki
• Apache2 webserver
• Create certificates for Apache2
• Configure local DNS file
• Dynamic DNS service
• DNS server
• Raspberry Pi - Pi-Hole Network-wide ad blocking