The internet community is rapidly moving to ensuring all websites are secure by using Hypertext Transfer Protocol Secure (HTTPS).
Note that HTTPS and mobile friendly are used as ranking signals by search engines.
This page is a placeholder or work in progress, serving to amalgamate information from the email list and recipes to where it should be held in the main PmWiki pages.
HTTPS request handling by PmWiki
PmWiki already responds properly to https: requests -- it detects when a request comes in via HTTPS and converts its outgoing links accordingly.
The sample config.php
contains:
# $ScriptUrl = 'http://www.mydomain.com/path/to/pmwiki.php';
# $PubDirUrl = 'http://www.mydomain.com/path/to/pub';
To force all pmwiki links to use https change this to:
$ScriptUrl = 'https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pmwiki.php';
$PubDirUrl = 'https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
Chances are that a site is already setting $ScriptUrl
in the local/config.php anyway -- it's one of the first things mentioned in docs/sample-config.php
, and in the initial setup tasks documentation.
I'd be fine with updating docs/sample-config.php to include something like:
# If you prefer HTTPS over HTTP linkages: # $UrlScheme = 'https'; # $ScriptUrl = 'https://www.mydomain.com/path/to/pmwiki.php'; # $PubDirUrl = 'https://www.mydomain.com/path/to/pub';
PmWiki to automatically redirect HTTP to HTTPS
To have PmWiki automatically redirect incoming HTTP requests to be a HTTPS request... that sounds recipe-ish. And it's much more efficient for it to be handled at the webserver level anyway (e.g., vis .htaccess, Redirect, etc.)
At the beginning of config.php
add, for versions of PmWiki after 2.2.0-beta18
if ($UrlScheme == 'http') { header( "Location: " . "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); exit('<html><body> <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">Please use HTTPS</a> </body></html>'); } $ScriptUrl = "https://".$_SERVER['HTTP_HOST']."/pmwiki/pmwiki.php"; $PubDirUrl = 'https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
Certificate
A certificate from a Certificate Authority is required, a self-signed certificate is no longer adequate[1].
- Let’s Encrypt is a free, automated, and open Certificate Authority
- EFF's CertBot for automatically enabling HTTPS on your PmWiki deploying Let's Encrypt certificates.
- Certify the Web provides a Windows native client to acquire and install a Let's Encrypt certificate
Using .htacccess for HTTPS
Create, or add to, an .htaccess
file in the public_html
directory.
Add the lines
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Ensure the RewriteEngine On
is not repeated twice.[2]
Setup HTTPS on IIS
The following steps will assist in getting PmWiki working with HTTPS on IIS.
- Follow the steps above to enable HTTPS in PmWiki and acquire a SSL Certificate.
- In IIS select the server, and Sever Certificates
- if your certificate is not already shown here (e.g. from LetsEncrypt) import it
- Enable Automatic Rebind of Renewed Certificate
- In IIS select the website to secure
- choose the Binding action, add a binding of Type
https
for your Host Name, then select the SSL certificate to use
- choose the Binding action, add a binding of Type
You can also redirect your http traffic to https.
Also check
- your router is set to allow port 443 (HTTPS) traffic
- your firewall is set to allow HTTPS (port 443) traffic
- IIS SSL settings are set to Client certificates: ignore
A Simpler Way
You can simply do this as well, I have been using for some time now:
$ScriptUrl = '//your-host-name.com/pmwiki/pmwiki.php';
$PubDirUrl = '//your-host-name.com/pmwiki/pub';
You just have to remove the 'http:' or 'https:' altogether, but this will remove compatibility with older browsers and some PmWiki recipes, like googledocviewer, be careful.
References
This page may have a more recent version on pmwiki.org: PmWiki:SetupHTTPS, and a talk page: PmWiki:SetupHTTPS-Talk.