Meza/FAQ

External 443 traffic only meza config
I have a user on my enterprise network who is behind a firewall that only allows 443 traffic. He says that he can see the Meza Landing page but the individual wikis don't work. For diagnostic purposes, he opened up port 80 on his firewall and suddenly the he could access the wiki fine. But he can't run that way so I have been told I have to eliminate all outside dependencies on port 80. I know that meza defines lots of services that are unsecured on the loop-back (127.0.0.1) port on the "back-end" of the haproxy and I’m allowed to leave them be - just so long as the client doesn't need to access them directly. so are you saying that any port 80 dependencies I am experiencing are due to a failure to configure haproxy properly for my organization's certs?
 * Question -- What minimum configuration changes are required to allow meza to work behind a firewall that only allows 443/https traffic?
 * Answer: When properly configured, a standard Meza installation should be fully accessible over HTTPS (port 443). The default SSL certificate is self-signed, so you may need to install your own certificate (e.g. from LetsEncrypt) depending on the requirements of your client. The certificate configuration is in /etc/haproxy/haproxy.cfg (or the template that creates it in the Meza deploy).

I added my organization's cert chain to  And that satisfied the browser front-end. Are you saying that I need to manually point  to  ?

I see three places where certs are mentioned in haproxy.cfg: Line 13 # Default SSL material locations Line 14   ca-base /etc/ssl/certs Line 15   crt-base /etc/ssl/private and Line 73 frontend www-https Line 74   bind *:443 ssl crt /etc/haproxy/certs/meza.pem So if my certs are in  do I update lines 14 and 15 in haproxy.cfg to be Line 14 ca-base /opt/conf-meza/secret/monolith/ssl Line 15 crt-base /opt/conf-meza/secret/monolith/ssl ?

(Force=yes) in "Ensure WikiBlender installed" Task
I made some changes to /opt/htdocs/WikiBlender/includes/Landing.php and now  can't complete the Ensure WikiBlender installed task with the default behavior of "force: no" in the task.


 * How can I command meza to overwrite any local modifications in  upon
 * To overwrite what is found in /opt/htdocs/WikiBlender you would want to ensure the task uses  in the "Ensure WikiBlender installed" task at src/roles/mediawiki/tasks/main.yml. If you prefer to keep what's already existing, you can keep , but be sure to add the (task) option to ignore errors as shown in the example below


 * Where should I make the changes to  so that they are included as part of the   results. (e.g. is there a template page for the landing.php file somewhere in /opt/meza/src/... ?)
 * WikiBlender is not currently part of meza . It's a separate code repo that is installed by meza. You can fork and/or submit patches to like Freephile/WikiBlender did

How to set the server timezone in Meza
Question 1 -- How to set the server timezone in Meza? Is there a timezone variable somewhere? secret.yml does not mention timezones.
 * Answer: You can specify e.g.  in your /opt/conf-meza/public/public.yml file. Valid values for m_timezone can be found in column 3 "Zone name" of List_of_tz_database_time_zones. The value you specify will override the default.

SAML VS Policy Agent Authentication approaches
SAML is clearly the officially approved e-auth mechanism for meza. However, I am working with my organizations application security team on my meza site and they are telling me that they want me to use a "CA Policy Agent" installed on the Apache service that forces clients to have secure authenticated browser sessions from our enterprise identity provider (redirecting them as needed), and then to program the policy agent on the server to authorize client access to specific wikis based on specific session attributes controlled only by the identity provider. This means that I would NOT be using SAML auth in ANY wikis.. which generates some questions:

Question 1 -- Is there any reason why this can't work? -- Meaning, is there anything in the Ansible scripting for a  that will be guaranteed to either break or over-write the policy agent.
 * Answer: --- Policy Agent Works well with Meza but is not yet included in meza as a configuration option. It requires some local modifications to meza that will need to be tracked and maintained apart from meza until we get Policy Agent support added. I will be adding a link to this FAQ with instructions on how to implement the CA Policy Agent with Meza. In the meantime, (User:revansx) if you need help.

Question 2 -- Does this impact the use model of the primary wiki feature of meza? if so how?
 * Answer: ---

How do I change my domain name?
I installed meza on a system with one domain name (or IP address) and now I want to update the host name that meza resolves to. How do I do this?
 * Answer: edit  (see Meza/Secret config). Update the value   to your new domain name.

Questions about Primary Wikis
Question 1 -- if a wiki is made primary, can it be made made un-primary? what happens if it is deleted?
 * Answer: If you deleted the primary wiki you'd lose the  table from the database that all other wikis rely upon. The same is true for the   and   tables, though losing those is less disastrous. Since all the other wikis had been relying upon that the primary wiki's user table, you could manually copy that table into the other wikis' databases. Or just copy it into one other wiki and define that wiki as primary.

Question 2 -- if every wiki is e-uthed (SAML or Policy Agent) such that login is account-creation is automatic based on third-party authentication and authorization, what is the advantage of having a primary wiki?
 * Answer: Shared user settings across wikis (everything in preferences). Not having this is incredibly annoying if you have many wikis. Shared interwiki table so you can easily link between wikis without keeping interwiki tables synchronized. Keeps user ID numbers the same (so you're not user #1 on one wiki and user #5148 on another wiki) which makes it possible to merge wikis more easily if you ever want to do that.

favicon.ico location for meza launch page
Where can one place a 'favicon.ico' file that will be used by the blender start page at the domain root? I have been successful in getting it to work by placing it here:. Not sure if this is the official location. Is placing a file (image) in  safe with respect to   commands?
 * Answer: If you define a primary wiki it's favicon will be used for the landing page. Other than that there is no documented way of defining a favicon for the landing page. If you're using a single sign-on source it is recommended to define a primary wiki.

Add non-meza html pages to a meza environment
I have a RHEL7 system with meza 27.x installed (monolith) and my organization requires me to host a few non-wiki, non-sensitive static html pages in a folder on the server that is in a non-meza related directory. Where/How do I create such a folder in a way that will not interfere with normal meza operations?


 * Answer: There is no way built into Meza to do this cleanly, yet. You can put the files in  and I don't think Meza will remove them on , but I'm not certain. You'll need to update   to tell the webserver to allow access to the files, and that will be overwritten on each
 * Answer 2: Another approach is to make the required changes to . This would be persistent upon subsequent deployments, but would be a variation from the official meza code base.

How con I find a list of all subpages to Meza here on mediawiki.org?

 * Answer: ---
 * Pages: https://www.mediawiki.org/w/index.php?title=Special%3APrefixIndex&prefix=Meza&namespace=0
 * Talk Pages: https://www.mediawiki.org/w/index.php?title=Special%3APrefixIndex&prefix=Meza&namespace=1

How do I get answers if they're not here?
Answer: First, try searching the Meza issues on GitHub. If you don't find what you're looking for there, join the Meza channel on riot.im.