A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

TLS when wiki is outsourced

freephile

If my customer is example.com, with multiple applications and services routed to that domain e.g. /blog or login.example.com. One service that they are hosting is a MediaWiki instance at https://example.com/wiki (also using a single-sign-on infrastructure - but I don’t think that matters much for this discussion about SSL and routing requests for top-level folders of the domain). For them to outsource the wiki hosting, and continue to have the wiki hosted at /wiki using an SSL certificate that they provide, what needs to be done?

I’m assuming that if I have a static IP address xx.xx.xx.xx, and an SSL certificate from the customer for “wiki.example.com”, that the customer can use DNS to make sure that wiki.example.com points to that IP. The customer would also use their web-server or proxy server to internally proxy requests for /wiki to wiki.example.com/wiki. To the end-user (and Google) they would simply see https://example.com/wiki in their browser (preserving existing links and SEO built up at that path). Is this correct? In short, the goal is to ensure SSL encryption and also preserve existing links while outsourcing the hosting of the wiki. Existing links include valid entry points like example.com/w/api.php

And, what ways can latency and overhead be reduced so that their server can hand-off requests as efficiently as possible under a high load environment?

FlorianSW

I’m not sure, if I got your question correctly. But first of all, we need to clarify, if the wiki is hosted as a sub-directory of a top level domain, such as:

example.com/wiki

or if the wiki is hosted with a sub-domain:

wiki.example.com

If the first one:
This will be more difficult. The DNS record for example.com would point to the server of your customer, where the other services are hosted, too (like example.com/blog). This server would need to be configured to forward the requests to the external hosting service. It depends on the webserver how this can be configured and what would be the best approach.

For your TLS question, it would most likely be the following setup in this case: The webserver of your customer (behind example.com) would terminate the TLS connection, which means it will decrypt the data sent on the connection and handles it accordingly. The private key of the used certificate would only be saved on the server of your customer. The server then would forward the data to the external hosting service. You should then clarify, what “external” means in this case: Will the traffic be routed internally in your data center (means: Can you ensure, that the data can never ever be transmitted or sniffed from the outside?). If so, it would maybe be ok to transmit the data in clear text without any encryption.

However, if external means, that the server hosting the MediaWiki instance, is hosted in some other data center (which means the data is transferred using an external network, like the internet), you need to think about encrypting the data again. That would mean, that the server of your customer would need to open an encrypted connection with the wiki-hosting server to forward the request. The wiki-hosting server would then need their own TLS certificate for that. For your second question with the load of the server: That would mean, that the server of your customer would first decrypt the data from the user-facing connection to forward it to the backend wiki-hosting server, which includes encrypting the data again. This can, depending on the load of the server and the number of requests, be more expensive.

If the second one:
That would make things a bit easier: You could create a new DNS record for the subdomain wiki.example.com pointing to the IP address of the external wiki-hosting server. The request would then go directly from the users client to the wiki-hosting server. There would be no need for the current server of your customer to proxy anything or doing something similar. Also: The external wiki-hosting server then would decrypt/terminate the TLS connection. This, on the other hand, may create a separate problem: Depending on the certificate used for the domain example.com, you probably would need to share the private key of that certificate to be able to use it for the wiki.example.com domain (if it’s a wildcard certificate). If you need to do that, you should definitly think about if you trust the external hosting server and operator enough to give them such ciritical information. If you can’t trust them so much (they would be able to decrypt any encrypted data transferred between the server and customer, which used this private key), then you would need to create a separate certificate for wiki.example.com and use it on the wiki-hosting server, only.

I hope this answers the question, if not, please provice some more details what you want to achieve and where the problsm are. Also: This doesn’t seem to be a real MediaWIki related question, as MediaWiki doesn’t really care about such things, as these are handled by the webserver :slight_smile:

Ciencia-Al-Poder

Note that when outsourcing the wiki, you should have some sort of control of the wiki, like the possibility to configure things in LocalSettings.php. For example, you need to specify $wgServer and set it to example.com, not to outsourcing.wiki.domain.com where the wiki actually is installed.