SetupHTTPS

The internet community is rapidly moving to ensuring all websites are secure by using Hypertext Transfer Protocol Secure (HTTPS).

Note that HTTPS and mobile friendly are used as ranking signals by search engines.

This page is a placeholder or work in progress, serving to amalgamate information from the email list and recipes to where it should be held in the main PmWiki pages.

HTTPS request handling by PmWiki

PmWiki already responds properly to https: requests -- it detects when a request comes in via HTTPS and converts its outgoing links accordingly. This doesn't need a new variable.

If you want to force all pmwiki-links to use https, then update $ScriptUrl accordingly:

$ScriptUrl = 'https://www.mydomain.com/path/to/pmwiki.php';

Chances are that a site is already setting $ScriptUrl in the local/config.php anyway -- it's one of the first things mentioned in docs/sample-config.php, and in the initial setup tasks documentation.

I'd be fine with updating docs/sample-config.php to include something like:

# If you prefer HTTPS over HTTP linkages:
   # $UrlScheme = 'https';
   # $ScriptUrl = 'https://www.mydomain.com/path/to/pmwiki.php';
   # $PubDirUrl = 'https://www.mydomain.com/path/to/pub'; 

PmWiki automatically redirect HTTP to HTTPS

To have PmWiki automatically redirect incoming HTTP requests to be a HTTPS request... that sounds recipe-ish. And it's much more efficient for it to be handled at the webserver level anyway (e.g., vis .htaccess, Redirect, etc.)

At the beginning of config.php add, for versions of PmWiki after 2.2.0-beta18

if ($UrlScheme == 'http') {
  header( "Location: " . "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
  exit('<html><body>
    <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">Please use HTTPS</a>
    </body></html>');
}
$ScriptUrl = "https://".$_SERVER['HTTP_HOST']."/pmwiki/pmwiki.php";
$PubDirUrl = 'https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';

Certificate

A certificate from a Certificate Authority is required, a self-signed certificate is no longer adequate[1].

  • Let’s Encrypt is a free, automated, and open Certificate Authority
    • EFF's CertBot for automatically enabling HTTPS on your PmWiki deploying Let's Encrypt certificates.
    • Certify the Web provides a Windows native client to acquire and install a Let's Encrypt certificate

References


This page may have a more recent version on pmwiki.org: PmWiki:SetupHTTPS, and a talk page: PmWiki:SetupHTTPS-Talk?.