Using Apache's mod_rewrite, DokuWiki logins can be forced to use HTTPS, thus preventing clear text passwords on the wire.
You may want to read up on general rewriting first.
The following assumes you already set up HTTPS support for your wiki, making it available via HTTP and HTTPS on the same address. For performance reasons only the login and profile updates should be forced to HTTPS while all “normal” wiki actions will continue to work on HTTP.
Since you need to have cookies set up via HTTPS to work on HTTP as well, you need to disable the securecookie option first. Then proceed to set up the redirection in your .htaccess:
# Switch to secure on login, profile and admin actions
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{QUERY_STRING} do=(log|profile|admin)
RewriteRule ^(.*) https://%{HTTP_HOST}/$1 [R,QSA,L]
# Change back to non-secure on show action
RewriteCond %{HTTPS} on
RewriteCond %{QUERY_STRING} (do=show|^$)
RewriteCond %{REQUEST_METHOD} GET
RewriteRule ^(.*) http://%{HTTP_HOST}/$1 [R,QSA,L]
You may want to change ${HTTP_HOST} to ${SERVER_NAME}, where server name matches the hostname in your SSL certificate.
Note: the above switches back to non-SSL on the show action only. This means switchback might not occur immediately after login, but ensures there will be no “mixed content” warnings during the SSL operation.
Also note: if you have other rewrite rules, such as those used in general rewriting, place these rules before the others.
Please note: You need to disable the ”securecookie” in /conf/dokuwiki.php in order for the above code to work. Otherwise your logins will not successfully register. This is because with securecookie enabled, the session cookie can't be sent over HTTPS and the session is lost.
This setup is also possible in nginx but with a minor tweak to your fastcgi_params.
First, you need to have separate server instances, for http and https each, to keep things clean (and for rewrite not to get confused and get trapped in redir loops). This can look like this. Each instance has it's own rewrite rule to switch from http and https.
# Tested with nginx 0.8.5
# In http context of your nginx configuration
map $scheme $php_https { default off; https on; }
server {
server_name wiki.host.org
root /path/to/dokuwiki;
index doku.php;
listen 80;
#Enforce https for logins, admin
if ($args ~* do=(log|admin|profile)) {
rewrite ^ https://$host$request_uri? redirect;
}
include dokuwiki.conf;
}
server {
server_name wiki.host.org;
root /path/to/dokuwiki;
index doku.php;
listen 443 ssl;
keepalive_requests 10;
keepalive_timeout 60 60;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
#switch back to plain http for normal view
if ($args ~* (do=show|^$)){
rewrite ^ http://$host$request_uri? redirect;
}
include dokuwiki.conf;
}
In dokuwiki.conf (same path as your nginx.conf) you can use the snippet from nginx wiki, but you need to add
fastcgi_param HTTPS $php_https;
to your your fastcgi_params. This parameter and the map directive in the beginning are required because Dokuwiki checks for $_SERVER['HTTPS'] to work.
Like with apache, you need to disable securecookie in your local.php.