XWiki on Ubuntu 16.04 LTS with Nginx Reverse Proxy

Install XWiki and all dependant programs on a 4 GB cloud server. This means:

1) Java
2) Tomcat
3) MySQL/MariaDB
4) XWiki
5) Nginx

Here we use Nginx as a reverse proxy to firstly redirect all HTTP to HTTPS and then forward all requests on port 80/443 to port 8080 (tomcat) on the localhost. Here I use LetsEncrytp for my SSL certificates.

Before we begin…

Setup DNS

wiki.dummydomains.org.uk ——>

Prepare the Server


Update and reboot the server.

apt-get update
apt-get dist-upgrade

Enable the firewall

ufw status
ufw enable
ufw allow ssh
ufw reload
ufw status

Install Oracle Java

This is a requirement before installing Tomcat or XWiki. At the time of writing, Java 8.x is recommended as 9.x is too new and has a number of known bugs still.

apt-get install software-properties-common
add-apt-repository ppa:webupd8team/java
apt-get update
apt-get install oracle-java8-installer

You will need to accept the license agreement:

Accept license agreement

Binary code license terms

Because many programs check for $JAVA_HOME, it is a good idea to set it now. If you don’t know the path, check with:

root@wiki:~# update-alternatives --config java
There is 1 choice for the alternative java (providing /usr/bin/java).

  Selection    Path                                     Priority   Status
  0            /usr/lib/jvm/java-8-oracle/jre/bin/java   1081      auto mode
* 1            /usr/lib/jvm/java-8-oracle/jre/bin/java   1081      manual mode

Press <enter> to keep the current choice[*], or type selection number:

Then edit your system $PATH variable so that the /usr/lib/jvm/java-8-oracle is the first path.

nano /etc/environment

Mine looks like this:

root@wiki:~# cat /etc/environment

You will need to log out and back in first but you can test with the below command.

root@wiki:~# echo $JAVA_HOME

Create Virtual Host and Generate SSL

Install Nginx and LetsEncrypt.


Install and configure Nginx.

apt-get install apache2-utils nginx
systemctl enable nginx

Create a very basic virtual host by editing the nginx configuration file and inserting your server name in the server_name variable.

vim /etc/nginx/sites-enabled/default

Mine looks like this.

root@wiki:~# egrep -v "^$|^[[:space:]]*#" /etc/nginx/sites-available/default 
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	server_name wiki.dummydomains.org.uk;
	location / {
		try_files $uri $uri/ =404;


systemctl restart nginx

Check it works!

Nginx test page
If it doesn’t, check the firewall…

Allow HTTP and HTTPS Traffic

If you use a local firewall like UFW or iptables, you will need to allow port 80 and 443.

ufw status
ufw allow http
ufw allow https
ufw status
ufw reload


add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx
certbot --nginx -d wiki.dummydomains.org.uk -d dummydomains.org.uk

Your certificate will get saved to /etc/letsencrypt/live/wiki.dummydomains.org.uk.

LetsEncrypt will edit your virtual hosts file.  The parts we are interested in are:

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/wiki.dummydomains.org.uk/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/wiki.dummydomains.org.uk/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  if ($scheme != "https") {
    return 301 https://$host$request_uri;
  } # managed by Certbot


Install XWiki

Install XWiki.

wget -q "https://maven.xwiki.org/public.gpg" -O- | apt-key add -
wget "https://maven.xwiki.org/stable/xwiki-stable.list" -P /etc/apt/sources.list.d/
apt-get update

Search for XWiki packages to install.

apt-cache search xwiki

According to the official documentation, the enterprise version is out-of-date and the non-enterprise version should be used.

apt-get install xwiki-tomcat8-mysql

Set the root MySQL password:


Set root MySQL password
Set root MySQL password

When asked if you should configure the database with dbconfig-common, say yes.

Configure with dbconfig-common
Configure with dbconfig-common

MySQL application password:


Select application password
Select application password

Check tomcat8 is listening on port 8080:

root@wiki:~# netstat -plnt | grep :8080
tcp6       0      0 :::8080                 :::*                    LISTEN      15840/java

Check your memory usage:

root@wiki:~# free -h
              total        used        free      shared  buff/cache   available
Mem:           3.9G        487M        1.9G         10M        1.5G        3.3G
Swap:            0B          0B          0B

You will need to increase the default about of memory allocated to Java. Here’s how:

vim /etc/default/tomcat8


root@wiki:~# grep ^JAVA_OPTS /etc/default/tomcat8
JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC"


root@wiki:~# grep ^JAVA_OPTS /etc/default/tomcat8
JAVA_OPTS="-Djava.awt.headless=true -Xmx1024m -XX:+UseConcMarkSweepGC"

Restart Tomcat

systemctl restart tomcat8

Test using using a browser:


If you’ve enabled a firewall and you want to test:

ufw allow 8080/tcp
ufw reload

However I’m not going to do this – I’m going to setup Nginx as a proxy first.

Configure Nginx

Remove the default virtual host configuration.

rm -v /etc/nginx/sites-enabled/default.conf
vim /etc/nginx/sites-available/wiki.dummydomains.org.uk.conf

My site configuration look as follows:

upstream tomcat {
  server fail_timeout=0;
  keepalive 64;

server {
  listen [::]:80;
  listen ssl;
  listen [::]:443 ssl;
  server_name wiki.dummydomains.org.uk dummydomains.org.uk;
  ssl_certificate /etc/letsencrypt/live/wiki.dummydomains.org.uk/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/wiki.dummydomains.org.uk/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  # redirect http to https
  if ($scheme != "https") {
    return 301 https://$host$request_uri;

  auth_basic "Authentication Required";
  auth_basic_user_file xwiki-access;

  location / {
    client_max_body_size 20M;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;
    proxy_set_header Connection "keep-alive";
    proxy_store off;
    proxy_headers_hash_max_size 512;
    deny all;

    proxy_pass http://tomcat/;

I also want to password protect my wiki:

htpasswd -c /etc/nginx/xwiki-access andy

Enable the site:

cd /etc/nginx/sites-enabled/
ln -s ../sites-available/xwiki.dummydomains.org.uk.conf .

….and check configuration file for errors.

root@wiki:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Check config and restart Nginx:

systemctl restart nginx

Now try entering the following into your browser and complete the on-screen installation instructions:


Complete Installation

Here are few things I normally do after an installation.

Make Root Application

I want to make this Wiki instance the root web application and remove the trailing /xwiki from the URL.

systemctl stop tomcat8.service
mv -v /etc/tomcat8/Catalina/localhost/xwiki.xml /etc/tomcat8/Catalina/localhost/ROOT.xml
vim /etc/xwiki/xwiki-tomcat8.xml


<Context path="/xwiki" docBase="/usr/lib/xwiki" privileged="true" crossContext="true">
  <!-- make symlinks work in Tomcat -->
  <Resources allowLinking="true" />


<Context path="/" docBase="/usr/lib/xwiki" privileged="true" crossContext="true">
  <!-- make symlinks work in Tomcat -->
  <Resources allowLinking="true" />

Don’t forget to start Tomcat again:

systemctl start tomcat8.service

Now the URL is simply:


Enable superadmin

This is needed if you plan to import XWiki pages from a previous installation.

vim /etc/xwiki/xwiki.cfg

Find the following section.

#-# Enable to allow superadmin. It is disabled by default as this could be a
#-# security breach if it were set and you forgot about it. Should only be enabled
#-# for recovering the Wiki when the rights are completely messed.
# xwiki.superadminpassword=system

….and change to:

#-# Enable to allow superadmin. It is disabled by default as this could be a
#-# security breach if it were set and you forgot about it. Should only be enabled
#-# for recovering the Wiki when the rights are completely messed.

Don’t forget to restart Tomcat if necessary.

Update Cookie Encryption Keys

When a user logs in, three cookies are saved to their machine. These cookies are encrypted with the below details. First we need to get the two random strings of equal length.

root@wiki:~# date +%s | sha256sum | base64 | head -c 32 ; echo
root@wiki:~# date +%s | sha256sum | base64 | head -c 32 ; echo

Then edit the xwiki.cfg file.

vim /etc/xwiki/xwiki.cfg

Find the relevant section and edit to look like the below.


Don’t forget to restart Tomcat if necessary.

Complete the Installation

Login to complete the installation.

Log in
Log in

Click continue.

Installation wizard
Installation wizard

Register and log in.

Register and login
Register and login


Install xwiki
Install xwiki

Select 9.9 and continue.

Install 9.9
Install 9.9

Confirm installation again.

Confirm installation
Confirm installation



Continue again.

Continue again
Continue again

Confirm the report by clicking continue.

Confirm installation report
Confirm installation report

Installation complete!

Installation Complete
Installation Complete

Import old XWiki Content

Lets see if the import feature works!  Log in as the superadmin user and then navigate to the Administration section:


Then select Content, followed by Import:


Select the backup.xar that you (hopefully) took earlier and import all the content.

Package content
Package content

Select the following options.

Import options
Import options


OSMC PPTP Client Configuration

My parents are retired and have a house in France where they live for about three months of the year. Like most people in the UK, they watch a lot of TV and are big users of the BBC iPlayer. This is a problem when they’re in France as the BBC uses GeoLocation authentication. Simply put, this means they block all connections coming from a non-UK IP address.

One solution to this problem is to route there internet traffic through a Virtual Private Network (VPN). You could host your own VPN, or you could simply subscribe to one of many VPN providers out there. Here I am trying iPortal.

iPortal VPN Connection Details

iPortal supports two protocols for tunnelling – PPTP and L2TP. Unfortunately this means that they do not support OpenVPN.

Here you will need to get your VPN connection details to hand. iPortal only requires a username and password. Other providers may also require you to provide a domain.

Username Password
me@andrewpike.co.uk kw3VX5uigjgf

Here I will be following this as a guide and configuring the client to use PPTP. I am using a Raspberry Pi with the OSMC as the OS.

Install and Configure PPTP Client

First we will need to install the pptp-linux package.

sudo apt-get update
sudo apt-get install pptp-linux

The PPTP configuration file is /etc/ppp/options.pptp. Use a text editor (nano) to edit the file if necessary.

nano /etc/ppp/options.pptp

…and add the following lines if not already present.


You can use egrep to check, as I do below.

egrep "lock|noauth|nobsdcomp|nodeflate" /etc/ppp/options.pptp

You now need to add your username, password and domain (if your providers gave you one) to the chap-secrets file, located in /etc/ppp/. Some provides also require you to specify a domain here – but not iPortal.

sudo nano /etc/ppp/chap-secrets

The format for entering these details are as shown below.


My configuration file simply has the following entry. If you’re using iPortal, your username is normally your email address.

me@andrewpike.co.uk PPTP kw3VX5uigjgf *

Now create a file in /etc/ppp/peers. The name is not important.

sudo nano /etc/ppp/peers/iPortal

Now enter your connection details again like so. You may need to find out the host server name (connect2iportal.co.uk) from your provider. Name, is your your username. Remember to prepend the domain (\\somedomain.com) if required.

pty "pptp connect2iportal.co.uk --nolaunchpppd"

The ipparam is the name of your VPN connection. This should be the same name of the file you recreated earlier in /etc/ppp/peers. Some providers may require “require-mppe” in place of “require-mppe-128“.

Test Connection

To test, use the pon command followed by the name of your VPN connection. The other information is useful for debugging connection issues.

sudo pon iPortal debug dump logfd 2 nodetach

A successful connection should look something like:

osmc@osmc:~$ sudo pon iPortal debug dump logfd 2 nodetach
pppd options in effect:
debug           # (from command line)
nodetach                # (from command line)
logfd 2         # (from command line)
dump            # (from command line)
noauth          # (from /etc/ppp/options.pptp)
refuse-pap              # (from /etc/ppp/options.pptp)
refuse-chap             # (from /etc/ppp/options.pptp)
refuse-mschap           # (from /etc/ppp/options.pptp)
refuse-eap              # (from /etc/ppp/options.pptp)
name cypike@btconnect.com               # (from /etc/ppp/peers/iPortal)
remotename PPTP         # (from /etc/ppp/peers/iPortal)
                # (from /etc/ppp/options.pptp)
pty pptp connect2iportal.co.uk --nolaunchpppd           # (from /etc/ppp/peers/iPortal)
crtscts         # (from /etc/ppp/options)
                # (from /etc/ppp/options)
asyncmap 0              # (from /etc/ppp/options)
lcp-echo-failure 4              # (from /etc/ppp/options)
lcp-echo-interval 30            # (from /etc/ppp/options)
hide-password           # (from /etc/ppp/options)
ipparam iPortal         # (from /etc/ppp/peers/iPortal)
nobsdcomp               # (from /etc/ppp/options.pptp)
nodeflate               # (from /etc/ppp/options.pptp)
require-mppe-128                # (from /etc/ppp/peers/iPortal)
noipx           # (from /etc/ppp/options)
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xfc34bc4b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x0 <mru 1400> <auth eap> <magic 0x72c91c98> <pcomp> <accomp> <callback CBCP> <mrru 1614> <endpoint [local:cd.01.ad.7a.1e.78.47.8f.99.0d.63.36.2a.f3.e1.e5.]>]
sent [LCP ConfRej id=0x0 <callback CBCP> <mrru 1614>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xfc34bc4b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <mru 1400> <auth eap> <magic 0x72c91c98> <pcomp> <accomp> <endpoint [local:cd.01.ad.7a.1e.78.47.8f.99.0d.63.36.2a.f3.e1.e5.]>]
sent [LCP ConfNak id=0x1 <auth chap MS-v2>]
rcvd [LCP ConfReq id=0x2 <mru 1400> <auth chap MS-v2> <magic 0x72c91c98> <pcomp> <accomp> <endpoint [local:cd.01.ad.7a.1e.78.47.8f.99.0d.63.36.2a.f3.e1.e5.]>]
sent [LCP ConfAck id=0x2 <mru 1400> <auth chap MS-v2> <magic 0x72c91c98> <pcomp> <accomp> <endpoint [local:cd.01.ad.7a.1e.78.47.8f.99.0d.63.36.2a.f3.e1.e5.]>]
sent [LCP EchoReq id=0x0 magic=0xfc34bc4b]
rcvd [CHAP Challenge id=0x0 <8adc771b8bafde36f1ef9dd9bc3253c1>, name = "SERVER5955"]
added response cache entry 0
sent [CHAP Response id=0x0 <aa362ea5ed92909ba0a813f6ba6b358f0000000000000000b0c4dc10e810cc54a48717df07a15846da629c63d8b9ce3d00>, name = "me@andrewpike.co.uk"]
rcvd [LCP EchoRep id=0x0 magic=0x72c91c98]
rcvd [CHAP Success id=0x0 "S=B4453B93CA28DC23F07704FE63A06DB0AE569B1E"]
response found in cache (entry 0)
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x4 <mppe +H -M -S -L -D +C>]
sent [CCP ConfNak id=0x4 <mppe +H -M +S -L -D -C>]
rcvd [IPCP ConfReq id=0x5 <addr>]
sent [IPCP TermAck id=0x5]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x6 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x6 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr>]
rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
sent [IPCP ConfReq id=0x2 <addr>]
rcvd [IPCP ConfNak id=0x2 <addr>]
sent [IPCP ConfReq id=0x3 <addr>]
rcvd [IPCP ConfAck id=0x3 <addr>]
rcvd [IPCP ConfReq id=0x7 <addr>]
sent [IPCP ConfAck id=0x7 <addr>]
local  IP address
remote IP address
Script /etc/ppp/ip-up started (pid 653)
Script /etc/ppp/ip-up finished (pid 653), status = 0x0

To stop it, use Ctrl + C or the below command from anther terminal.

sudo poff iPortal

Route Traffic Through VPN

Once you have successfully connected to your VPN provider, you now need to route your traffic through it. Before doing that, you might want to make a note of your public IP address first. You can do this from the command line with the curl command. This should return the IP address of your ISP.

osmc@osmc:~$ curl -4 icanhazip.com

Now reconnect to your VPN with the following command.

sudo pon iPortal

Wait a few seconds and then route your traffic through the VPN.

sudo route add default dev ppp0

Now check your public IP address again. If all when well – it should now be the IP address of your VPN provider!

osmc@osmc:~$ curl -4 icanhazip.com

Your VPN is now working!


Now we have to automate the process. I created two scripts with 755 permissions

osmc@osmc:/myscripts$ ls -l
total 8
-rwxrwxr-x 1 osmc osmc 134 Aug 12 21:01 iPortal_connect.sh
-rwxrwxr-x 1 osmc osmc 114 Aug 12 21:01 iPortal_disconnect.sh

The iPortal_connect.sh file looks like the following.


sudo pon iPortal
sleep 10
sudo route add default dev ppp0
echo "VPN Connected: $(curl --silent -4 http://icanhazip.com)"

And the iPortal_disconnect.sh looks like.


sudo poff iPortal
sleep 2
IP="$(curl --silent -4 http://icanhazip.com)"
echo "VPN Disconnected: $IP"

Here’s the output from executing these scripts.

osmc@osmc:/myscripts$ ./iPortal_connect.sh
VPN Connected:
osmc@osmc:/myscripts$ ./iPortal_disconnect.sh
VPN Disconnected:

Launch Scripts from within OSMC

The guide I’m following uses the Advanced Launcher plugin for OSMC. Sadly it was at this point that I realised that Advanced Launcher seems to have died a horrible death and is not available any more! I will need to do a bit more research on this one it looks like – I don’t think my folks will be SSH’ing into the Pi to execute a script each time they want to watch the news lol!!!

Related Documents


iPortal VPN Review




Install NewRelic Server Monitoring Agent on Ubuntu 14.04 LTS

NewRelic is a real-time monitoring tool that has a number of useful plugins. Here I am installing the server monitoring agent to keep track of my servers health.

NewRelic - Server Monitoring

To install the server monitoring agent, first add the repository…

echo deb http://apt.newrelic.com/debian/ newrelic non-free >> /etc/apt/sources.list.d/newrelic.list
wget -O- https://download.newrelic.com/548C16BF.gpg | apt-key add -
apt-get update

…then install the monitoring agent….

apt-get install newrelic-sysmond

Configure and start server monitoring daemon…

nrsysmond-config --set license_key=<your_key_here>
/etc/init.d/newrelic-sysmond start

And here’s what the server monitoring overview page looks like.

NewRelic - Server Overview

Related Documents

newrelic.com: New Relic Servers for Linux

Rackspace Cloud Monitoring Agent

The Rackspace cloud monitoring agent allows you to monitor CPU, memory, filesystem usage and system processes. It does this by collecting information about the system and pushing it out to Rackspace Cloud Monitoring web services, where they can be analyzed, graphed, and alerted on. It is this technology that the Rackspace monitoring checks are built upon.

Plus you get a nice pretty little bar graph in the server details section of the control panel 🙂

Rackspace monitoring agent

Install the Agent

While the instructions used here are for Ubuntu 14.04 LTS, this page lists the exact commands needed for all major distros.

wget http://meta.packages.cloudmonitoring.rackspace.com/ubuntu-14.04-x86_64/rackspace-cloud-monitoring-meta-stable_1.0_all.deb
dpkg -i rackspace-cloud-monitoring-meta-stable_1.0_all.deb
apt-get update
apt-get install rackspace-monitoring-agent

If your distribution of choice isn’t listed, you can always install from source.

Configure and Start Daemon

If the /etc/rackspace-monitoring-agent.cfg file isn’t present, you will need to choose one of the methods below to start the service.

Quick Method

Run the below commands, replacing the username and API key with your own.

rackspace-monitoring-agent --setup --username <your-username> --apikey <your-api-key>
rackspace-monitoring-agent start -D

Interactive Method

Alternatively you can simply run the below to interactively enter your username and your API key or password.

rackspace-monitoring-agent --setup

Followed by…

service rackspace-monitoring-agent start


The monitoring agent does not update itself. However, if you installed using a package manager, such as apt-get, agent updates will be pulled in and applied with regular system updates anyway.

apt-get update
apt-get dist-upgrade

Uninstalling the Agent

Assuming you didn’t install from source and you used your distros package manager, you will uninstall with the same method. I am using Ubuntu, so…

apt-get remove rackspace-monitoring-agent

Or if you’re using CentOS/RHEL.

yum remove rackspace-monitoring-agent

Related Documents