Manuel:HTTPS
MediaWiki prend en charge les opérations des protocoles mixtes HTTP et HTTPS, bien que depuis 2020 il soit un peu en marge car les meilleures pratiques génériques au niveau du web recommandent que les sites soient uniquement en HTTPS. Dans la communication HTTP, le texte est lisible et peut être capté, les mots de passe et les session utilisateur peuvent être volés, ou l'utilisateur peut être hameçonné vers un site frauduleux via des attaques cryptanalytique du type attaque de l'homme du milieu (man-in-the-middle). La communication HTTPS est cryptée et le navigateur vérifie par déchiffrement l'identité du serveur.
Utiliser un wiki dédié HTTPS
- Set
$wgForceHTTPS
totrue
; this will redirect all HTTP requests to HTTPS, and set thesecure
flag on all cookies. - If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header
X-Forwarded-Proto: https
should be set on such requests to suppress the redirect. You might also need to set$wgInternalServer
, for the benefit of extensions which cause MediaWiki make web requests to itself. - Let's Encrypt can provide for free the certificates needed for setting up your site to serve HTTPS
- Consider enabling strict transport security in your web server, to prevent browsers from being tricked into visiting the site over HTTP and falling victim to phishing attacks.
- Configuring HTTPS protocol details can be tricky; there are a number of automated audits such as Qualys. SSL Labs' test that can analyse your website and give you advice.
Utiliser un wiki multi protocole
A mixed-protocol wiki can be accessed via both HTTP and HTTPS.
This is inherently insecure, as HTTP connections can be monitored by third parties, who track what your users do, or steal authentication cookies and temporarily take over user accounts.
You will need to set $wgServer
to a protocol-relative URL and set $wgCanonicalServer
to an absolute URL (up to you whether it is the HTTP or HTTPS one).
- If you enable
$wgSecureLogin
, MediaWiki will do its best in this scenario to protect passwords, at least, by forcing users to HTTPS for the duration of their login. Users will be able to set in their preferences (prefershttps
user preference) and during login that they prefer HTTPS, in which case they get automatically redirected as if$wgForceHTTPS
were enabled. - If a reverse proxy or CDN is used to forward requests from HTTPS to HTTP, the request header
X-Forwarded-Proto: https
should be set on such requests to suppress the redirect.
Utiliser un wiki dédié HTTP
This requires no extra configuration, but is strongly recommended against as it is even more insecure than a mixed-protocol wiki.
Autres accroches liées et paramètres de configuration
$wgCookieSecure
- for forcing cookies to be HTTPS-only. There shouldn't be any need to change the default value.$wgVaryOnXFP
- for setting the appropriate Vary header; might be needed for proxies/CDNs.- CanIPUseHTTPS (obsolète depuis v. 1.35) - for forcing HTTP for certain IP ranges (intended for traffic from countries where HTTPS communication is blocked).
- UserRequiresHTTPS (obsolète depuis v. 1.35) - for forcing HTTPS for certain users.
- BeforeHttpsRedirect (obsolète depuis v. 1.35) - called before redirecting from HTTP to HTTPS, can alter or prevent the redirect.
$wgHttpsPort
- for using a non-standard HTTP port.- HTTPS-specific features of MediaWiki can be tested in MediaWiki-Vagrant by enabling the
https
role. - For information about the HTTPS-related configuration of Wikimedia websites, see the HTTPS page on Wikitech.