DokuWiki on OpenBSD

Installation from the package

To install DokuWiki using the OpenBSD packages use the package manager:

~$ doas pkg_add dokuwiki

The package manager will take care of setting up dependencies and chroot requirements.

Note: The package dokuwiki-2022.07.31ap0 and dokuwiki-2023.04.04 (in snapshots) require users wanting to install templates using the Extension Manager to change the owner of /var/www/dokuwiki/lib/tpl to www:

# chown www /var/www/dokuwiki/lib/tpl

Note: The currently available OpenBSD ports dokuwiki-2022.07.31ap0 and dokuwiki-2023.04.04 (in snapshots) contain a small bug. You will need to fix the permissions like this:

# chown www /var/www/dokuwiki/data/log

This bug will probably be fixed in newer versions of the ports.

Manual installation

The package doesn't do all of this so you should also look at this if you run into problems.

First install PHP and a dependency if required¹⁾:

~$ doas pkg_add php php-gd

You should be able to choose the newest version of PHP. We will use 8.0 for this example.

To enable the installed PHP package add the symbolic links as root:

# cd /etc/php-8.0.sample
# for i in *; do ln -sf ../php-8.0.sample/$i ../php-8.0/; done

Start up the PHP FPM daemon:

~$ doas rcctl start php80_fpm

Add the daemon to the list of things started up at boot

Old method
Add the daemon to the list of things started up at boot in the /etc/rc.conf.local file (you might have to create it) by adding it to any existing list like this:

~$ doas rcctl enable php80_fpm

Once you have PHP working you can go through the generic installation instructions. Pay particular attention to setting up the permissions properly. If you are using the OpenBSD httpd web server you will be setting things to a user of www and group of www.

Httpd configuration

You may want to change your httpd.conf to something similar show below.

server "default" { 
        listen on egress port 80 
        listen on 127.0.0.1 port 80 
 
        location "/*.inc" { block }
        location "/*.ht*" { block }
        location "/data/*" { block }
        location "/conf/*" { block }
        location "/bin/*" { block }
        location "/inc/*" { block }
        location "/vendor/*" { block }
 
        location "/dokuwiki/*.php*" { 
                root "/dokuwiki" 
                request strip 1
                fastcgi socket "/run/php-fpm.sock" 
        } 
        location "/dokuwiki/*" { 
                directory index index.php 
                root "/dokuwiki"
                request strip 1
        } 
}

Note: The above is a very generic minimal configuration. It assumes yo can access DokuWiki using the url http://<your-ip>/dokuwiki/ or locally using http://localhost/dokuwiki/ You SHOULD probably set DokuWiki up to use HTTPS so that login credentials will be transferred securely. It is fairly easy to do this using e.g. Let's Encrypt and acme-client(1). Simply redirect all requests on port 80 to port 443, except for the ACME challenge and change the above listen statements to port 443 and add the appropriate tls {} configuration.

A slightly better configuration which would be accessible using the url https://<your-hostname>/ (using wiki.example.com as the hostname for this example) might look like this:

# Redirect HTTP requests to HTTPS and handle ACME certificate verification
# requests.
server "wiki.example.com" {
	listen on * port 80
 
	# Add other hostnames here if you have multiple virtual hosts that
	# require the same functionality. No need to write extra server {}
	# blocks for them.
	# alias "other.host.name"
 
	block return 301 "https://$HTTP_HOST$REQUEST_URI"
 
	location "/.well-known/acme-challenge/*" {
		pass
		root "/acme"
		request strip 2
	}
}
 
# This is the server for hosting a DokuWiki website.
server "wiki.example.com" {
	# Always use HTTPS so that login credentials are encrypted.
	listen on * tls port 443
 
	tls {
		# Adjust these paths for the ones your certificate uses.
		certificate "/etc/ssl/fullchain.pem"
		key "/etc/ssl/private/privkey.key"
	}
 
	# If you are using the default DokuWiki as installed from the
	# OpenBSD dokuwiki port then this is your root directory. If
	# you are using a manual installation, adjust as needed.
	root "/dokuwiki"
 
	# Make sure that https://<hostname>/ works (in addition to
	# https://<hostname>/doku.php)
	directory index doku.php
 
	# Block some things.
	# Note: The first matching location statement wins. Thus the
	# order is important.
	location "*~" { block }
	location ".*" { block }
	location "/data/*" { block }
	location "/conf/*" { block }
	location "/bin/*" { block }
	location "/inc/*" { block }
	location "/vendor/*" { block }
 
	# If nothing was blocked then handle PHP scripts.
	location "*.php" {
		# If you are running multiple versions of php-fpm
		# you may need to adjust the socket path.
		fastcgi socket "/run/php-fpm.sock"
	}
}

Don't forget to check your configuration using httpd -n! If all is well you can start httpd(8) using:

~$ doas rcctl start httpd

To enable httpd(8) at boot time use:

~$ doas rcctl enable httpd

And for completeness, after changing your httpd.conf use:

~$ doas httpd -n
~$ doas rcctl reload httpd

or

~$ doas httpd -n
~$ doas rcctl restart httpd

Allowing outgoing http connections

The OpenBSD web server chroot is fairly restrictive by default. If you want to use things like automatic extension downloading you will need to open things up a bit. This should allow outgoing http and https connections. As root (creating any needed directories on the way):

# mkdir /var/www/dev
# mknod /var/www/dev/urandom c 45 2
# mkdir /var/www/etc
# cp /etc/resolv.conf /var/www/etc/
# cp /etc/hosts /var/www/etc/
# cp /etc/services /var/www/etc/
# mkdir /var/www/etc/ssl
# cp /etc/ssl/cert.pem /var/www/etc/ssl/

Then restart the php daemon:

~$ doas rcctl start php80_fpm

¹⁾

The php and php-gd packages should have been installed by the dokuwiki package as dependencies. Manual installation should not be necessary.

Table of Contents