Changes for page How to setup an XWiki docker container

Last modified by Alexandru Pentilescu on 2023/06/25 18:56

From 44.1 to 45.1 From 55.1 to 56.1

From version 45.1

edited by Alexandru Pentilescu
on 2022/06/09 23:05

Change comment: There is no comment for this version

To version 55.1

edited by Alexandru Pentilescu
on 2022/06/15 22:58

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -5,7 +5,7 @@
  * You have sudo rights on the machine where you're trying to install the XWiki server on
  * This machine already has docker fully installed and properly configured on it. Please perform a test installation of any random image from docker hub to ensure that everything works appropriately
  * You already own and are in control of a domain name for which you wish to make the XWiki server accessible through. This domain name is already pre-configured to point to the server that you wish to install XWiki on. In my particular case, I already have pentilescu.com configured to point to my VPS and, what I wished to accomplish  was to have a subdomain via which I could access XWiki. In this particular case, this subdomain was wiki.pentilescu.com. To that end, you must have nginx also configured and running on the same server in the background, to have it redirect connections whose destination is a specific port to a subdomain
--* Finally, you must have an SMTP email server running somewhere accessible to the docker instance. XWiki will need to use this server to relay account activation emails as well as password reset emails to its users
++* Finally, it's recommended (although not mandatory) to have an SMTP email server running somewhere accessible to the docker instance. XWiki will need to use this server to relay account activation emails as well as password reset emails to its users
  With all of these details in mind, let's begin!
@@ -54,7 +54,7 @@
  # ---------------------------------------------------------------------------
  version: '2'
  networks:
--  bridge:
++  internal_xwiki_network:
      driver: bridge
  services:
    # The container that runs XWiki + Tomcat
@@ -78,8 +78,8 @@
      volumes:
        - ./data/xwiki-data:/usr/local/xwiki
      networks:
--            internal_xwiki_network:
--                ipv4_address: 192.168.80.3
++            - internal_xwiki_network
++
    # The container that runs the database (mariadb)
    db:
      image: "mariadb:10.5"
@@ -103,8 +103,7 @@
        - MYSQL_PASSWORD=${DB_PASSWORD}
        - MYSQL_DATABASE=${DB_DATABASE}
      networks:
--        internal_xwiki_network:
--                ipv4_address: 192.168.80.4
++        - internal_xwiki_network
  networks:
    internal_xwiki_network:
@@ -133,7 +133,6 @@
  Please replace <database_password> and <mysql_root_password> with randomly generated long strings, preferrably containing a long sequence of lowercase, uppercase letters, digits and symbols. In my case, I chose 12 character long sequences for each of them. It's unlikely for a hacker to compromise your docker environment but it's still best practice to make the passwords as long and hard to guess as possible, as an extra layer of security.
--
  = First run of the container =
  The first run is always the scariest. Start up the docker image and wait for everything to initialize:
@@ -158,7 +158,7 @@
  For the time being, press the "Later" button on the dialog (not the "Never" one!) and then run a "docker-compose down" to stop the container from running. The first test run was a success! Congratulations!
--= Nginx reverse proxy configuration =
++= [OPTIONAL] Nginx reverse proxy configuration =
  We assume you already have Nginx installed and properly configured on your machine. Also, we will assume you have an X.509 certificate whose Subject Alt Names includes both your domain name, as well as the subdomain for your wiki (i.e. in my case for pentilescu.com and wiki.pentilescu.com, respectively) and you've configured Nginx to utilize both of them! If this is not the case or you're unsure how to perform these configurations, please check the internal "How to setup an Nginx reverse proxy and also provide a global X.509 certificate for it" guide at the bottom of this page.
@@ -277,8 +277,29 @@
  Please be sure to use the appropriate IP address as configured in your "docker-compose.yml" file for your xwiki service.
  For more information about postfix and setting it up, please visit the "How to setup a postfix SMTP server" article in the external references section at the bottom of this article!
++
++=== Correcting "localhost" directing URLs in received emails ===
++
++This might be just a problem on my end but, after configuring my SMTP server and then requesting an unnecessary password reset for my account to test my configuration, the arrived email contained a password-reset URL which, instead of pointing to my server, as it should have, it pointed to http://localhost:8081. This is obviously wrong and NOT correct.
++Fix: go to "<your XWiki directory>/data/xwiki-data/data/" and open the "xwiki.cfg" configuration file there. Find the "xwiki.home" configuration option in that file, uncomment it if you have to, and set it to point to your actual fully qualified domain name (including the trailing "/" at the end) to correct this issue. Please remember to restart the XWiki docker container afterwards for the changes to take effect!
++
++== Modifying cookie encryption keys ==
++
++XWiki has an interesting login mechanism. It doesn't use session tokens to keep track of your user account. What it does do is that it stores two session cookies in your browser: one for your username and one for your password.
++Every time you make a request to your server, these two session cookies are sent along with each request, effecitvely authenticating it.
++This might seem as a huge security problem, as the password is stored in the session cookie and it can be easily viewed by anyone with local access to the web browser's machine.
++To mitigate this security risk, XWiki encrypts both the username cookie's value and the password cookie's value using keys configured in a configuration file. These keys come with strong default values, by itself but, since these values are the same for everyone that downloads the docker image, are inherently public.
++As such, you, as the administrator, should change these encryption keys to your own, randomly generated ones. To do so, go to <your XWiki directory>/data/xwiki-data/data/ and modify the "xwiki.cfg" configuration file there. This file should have two configuration options called "xwiki.authentication.validationKey" and "xwiki.authentication.encryptionKey". Generate, from scratch, two different 32 character long encryption keys and replace the default ones with your ones. Uppercase and lowercase letters, as well as digits, are allowed. I don't believe other symbols are accepted though.
++Change these and restart the docker container, for the changes to apply.
++
++
++== Make the "xwiki-data" directory accessible to non-root users ==
++
++For whatever reason, my setup generated the "xwiki-data" directory under my XWiki folder as being owned by the root user and under the root group, with permission levels of {{{"rwx------"}}}. If you're not already the root user on that machine, these permission levels are problematic as they will prevent you from cd-ing into it and making necessary configuration changes, nor even backing up that directory for the future.
++As such, please remember to "sudo chmode 655 -R xwiki-data/" to make it accessible! If this security configuration is not appropriate for your use cases, you may tweak it to fit your needs!
++
  = External references =
  [[Official docker guide for installing XWiki>>https://github.com/xwiki/xwiki-docker/blob/master/README.md]]
--How to setup an Nginx reverse proxy and also provide a global X.509 certificate for it [NOT YET WRITTEN!]
--How to setup a postfix SMTP server [NOT YET WRITTEN]
++[[How to setup an Nginx reverse proxy and also provide a global X.509 certificate for it>>https://wiki.pentilescu.com/bin/view/Guides/How%20to%20setup%20an%20Nginx%20reverse%20proxy%20and%20also%20provide%20a%20global%20X.509%20certificate%20for%20it/]]
++[[How to setup a postfix SMTP server>>https://wiki.pentilescu.com/bin/view/Guides/How%20to%20setup%20a%20postfix%20SMTP%20server/]]