oddmu-nginx - how to setup Nginx as a reverse proxy for Oddmu
The oddmu program serves the current working directory as a wiki on port 8080. This is an unpriviledged port so an ordinary user account can do this.
This page explains how to setup NGINX on Debian to act as a reverse proxy for Oddmu. Once this is done, you can use NGINX to provide HTTPS, request users to authenticate themselves, and so on.
The site is defined in "/etc/nginx/sites-available/default", in the *server* section. Add a new *location* section after the existing *location* section:
location ~ ^/(view|preview|diff|edit|save|add|append|upload|drop|list|delete|rename|search|archive)/ {
proxy_pass http://localhost:8080;
}
If you remove an action from the regular expression, those requests no longer get passed on to Oddmu. They are essentially disabled. Somebody on the same machine pointing their browser at http://localhost:8080/ directly would still have access to all the actions, of course.
Access control is not part of Oddmu. By default, the wiki is editable by all. This is most likely not what you want unless you're running it stand-alone, unconnected to the Internet – a personal memex on your laptop, for example.
To restrict access to some actions, use two different *location* sections:
# public
location ~ ^/(view|diff|search)/ {
proxy_pass http://localhost:8080;
}
# password required
location ~ ^/(edit|save|add|append|upload|drop|list|delete|rename|archive)/ {
auth_basic "Oddmu author";
auth_basic_user_file /etc/nginx/conf.d/htpasswd;
proxy_pass http://localhost:8080;
}
The passwords in "/etc/nginx/conf.d/htpasswd" are generated using *openssl*(1). Assuming the password is "CPTk&qO[Y@?M~L>qKOkd", this is how you encrypt it:
openssl passwd 'CPTk&qO[Y@?M~L>qKOkd'
The output gets used in "/etc/nginx/conf.d/htpasswd". Here's the user "alex" using this password:
alex:$1$DOwphABk$W4VmR9p8t2.htxF6ctXHX.
These instructions create user accounts with passwords just for Oddmu. These users are not real users on the web server and don't have access to a shell, mail, or any other service.
Instead of having Oddmu listen on a TCP port, you can have it listen on a Unix-domain socket. This requires socket activation. An example of configuring the service is given in oddmu.service(5).
On the nginx side, you can proxy to the socket using an *upstream* section. This sends all requests to the socket. Use the upstream name as the server name for _proxy*pass*. Add something like the configuration below to your existing nginx server configuration. On a Debian system, that'd be in "/etc/nginx/sites-available/default".
location ~ ^/(view|preview|diff|edit|save|add|append|upload|drop|list|delete|rename|search|archive)/ {
proxy_pass http://unix:/run/oddmu/oddmu.sock:;
}
Reload the configuration:
sudo systemd reload nginx
Now, all traffic between the web server and the wiki goes over the socket at "/run/oddmu/oddmu.sock".
To test it on the command-line, use a tool like *curl(1)*.
curl http://localhost/view/index
oddmu(1), oddmu-apache(5)
"freenginx" http://freenginx.org/
"freenginx ngx_http_proxy_module", proxy_pass http://freenginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
http://freenginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
"freenginx ngx_http_auth_basic_module" http://freenginx.org/en/docs/http/ngx_http_auth_basic_module.html
http://freenginx.org/en/docs/http/ngx_http_auth_basic_module.html
Maintained by Alex Schroeder alex@gnu.org.