Sito/Technical documentation
Public technical documentation for the https://www.wikimedia.it/ website.
Server access
ssh fabula.wikimedia.it
To request access:
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └──┬──┘ └────────┬────────┘ └───────┬───────┘ │ request │ │ │<────────────────────>│ │ │ │ │ │ │ request │ │ │<─────────────────────────>│ ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9003)│ └─────┘ └─────────────────┘ └───────────────┘
(refresh)
File system
The application is under:
/var/www/wmi/wordpress
Database
The database is called WMIDB
.
It has a dedicated user called in the same way.
Update
Before being able to do an update, run this:
chown apache-wmi: -R /var/www/wmi/wordpress
When your upgrade is concluded, run again the #Hardening part.
Hardening
After you have done any #Update, please execute this hardening process:
# first step: make whole application read-only for everyone chown root: -R /var/www/wmi/wordpress # second step: protect some secrets chmod o= /var/www/wmi/{tmp,session} chown apache-wmi: /var/www/wmi/{tmp,session} chmod o= /var/www/wmi/wordpress/wp-config.php chown apache-wmi: /var/www/wmi/wordpress/wp-config.php # third step: allow write-mode on some locations chown -R apache-wmi: /var/www/wmi/wordpress/wp-content chown apache-wmi: /var/www/wmi/{tmp,session}
Configuration
WordPress configuration:
nano /var/www/wmi/wordpress/wp-config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-www-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-www-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9003-it.wikimedia-wordpress.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Unix user
The PHP-FPM application runs under a dedicated low-privileged Unix user:
$ id apache-wmi uid=1439(apache-wmi) gid=1439(apache-wmi) groups=1439(apache-wmi),48(apache)
Created with:
$ adduser -d /var/www/html -s /sbin/nologin -g apache apache-wmi
This service uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
Phabricator
- phabricator:search - search recent activity