]> git.immae.eu Git - github/shaarli/Shaarli.git/blame - doc/md/Server-configuration.md
Merge pull request #1621 from ArthurHoaro/feature/tag-separators
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
CommitLineData
91a21c27 1# Server configuration
992af0b9 2
91a21c27 3## Requirements
4
5### Operating system and web server
6
f682f1b8 7Shaarli can be hosted on dedicated/virtual servers, or shared hosting.
91a21c27 8
9You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
10
11Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
12
f682f1b8 13A $5/month VPS (1 CPU, 1 GiB RAM and 25 GiB SSD) will run any Shaarli installation without problems. Some hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [4](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [5](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [6](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
14
15
91a21c27 16### Network and domain name
17
18Try to host the server in a region that is geographically close to your users.
19
a32e6665 20A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
91a21c27 21
6384447d 22You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
91a21c27 23
41b93897 24Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
25
26Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
27
9417f133 28
29### Screencast
30
31Here is a screencast of the installation procedure
32
33[![asciicast](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO.svg)](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO)
34
02117f7e 35--------------------------------------------------------------------------------
91a21c27 36
37### PHP
38
39Supported PHP versions:
43ad7c8e 40
bdfb967c 41Version | Status | Shaarli compatibility
42:---:|:---:|:---:
ec457491
A
438.0 | Supported | Yes
447.4 | Supported | Yes
30255b79 457.3 | Supported | Yes
bdfb967c 467.2 | Supported | Yes
477.1 | Supported | Yes
899d0411 487.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
7062ef4d 495.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
bdfb967c 505.5 | EOL: 2016-07-10 | Yes
515.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
525.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
5409ade2 53
91a21c27 54Required PHP extensions:
43ad7c8e 55
bdfb967c 56Extension | Required? | Usage
57---|:---:|---
ec457491 58[`openssl`](http://php.net/manual/en/book.openssl.php) | required | OpenSSL, HTTPS
3575fe5b 59[`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
dfe14f26 60[`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
bdfb967c 61[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
787faa42 62[`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
bdfb967c 63[`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
64[`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
65[`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
992af0b9 66
91a21c27 67Some [plugins](Plugins.md) may require additional configuration.
68
f682f1b8 69- [PHP: Supported versions](http://php.net/supported-versions.php)
70- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
71- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
72- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
73- [PHP: Bugs](https://bugs.php.net/)
74
91a21c27 75
76## SSL/TLS (HTTPS)
992af0b9 77
f682f1b8 78We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) (SSL/[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)) on your webserver for secure communication between clients and the server.
43ad7c8e 79
38d66e1a 80### Let's Encrypt
81
91a21c27 82For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
992af0b9 83
91a21c27 84 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
85 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
86 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
992af0b9 87
91a21c27 88In short:
992af0b9 89
91a21c27 90```bash
91# install certbot
92sudo apt install certbot
bdfb967c 93
91a21c27 94# stop your webserver if you already have one running
95# certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
96sudo systemctl stop apache2
97sudo systemctl stop nginx
bdfb967c 98
e0fe33f9 99# generate initial certificates
100# Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
91a21c27 101sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
102# this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
bdfb967c 103
91a21c27 104# restart the web server
105sudo systemctl start apache2
106sudo systemctl start nginx
107```
108
38d66e1a 109On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts.
110
111### Self-signed
112
91a21c27 113If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
114
115- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
116- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
f682f1b8 117- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
118- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
bdfb967c 119
120--------------------------------------------------------------------------------
121
91a21c27 122## Examples
123
1aeefe10 124The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
91a21c27 125
126```bash
d8847936 127# create the document root (replace with your own domain name)
91a21c27 128sudo mkdir -p /var/www/shaarli.mydomain.org/
129```
130
131You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
132
bdfb967c 133
91a21c27 134### Apache
bdfb967c 135
91a21c27 136```bash
137# Install apache + mod_php and PHP modules
138sudo apt update
139sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
140
d8847936 141# Edit the virtualhost configuration file with your favorite editor (replace the example domain name)
91a21c27 142sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
143```
992af0b9 144
992af0b9 145```apache
91a21c27 146<VirtualHost *:80>
147 ServerName shaarli.mydomain.org
148 DocumentRoot /var/www/shaarli.mydomain.org/
149
f682f1b8 150 # For SSL/TLS certificates acquired with certbot or self-signed certificates
f3ab2616 151 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
91a21c27 152 RewriteEngine on
153 RewriteRule ^.well-known/acme-challenge/ - [L]
91a21c27 154 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
155 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
156</VirtualHost>
157
f682f1b8 158# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
159#MDomain shaarli.mydomain.org
160#MDCertificateAgreement accepted
161#MDContactEmail admin@shaarli.mydomain.org
162#MDPrivateKeys RSA 4096
163
bdfb967c 164<VirtualHost *:443>
91a21c27 165 ServerName shaarli.mydomain.org
166 DocumentRoot /var/www/shaarli.mydomain.org/
992af0b9 167
f3ab2616 168 # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
bdfb967c 169 SSLEngine on
91a21c27 170 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
171 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
c84d1430 172 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
173 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
174 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
175 SSLHonorCipherOrder off
176 SSLSessionTickets off
177 SSLOptions +StrictRequire
992af0b9 178
f682f1b8 179 # SSL/TLS configuration for self-signed certificates
bdfb967c 180 #SSLEngine on
181 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
182 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
992af0b9 183
bdfb967c 184 # Optional, log PHP errors, useful for debugging
185 #php_flag log_errors on
186 #php_flag display_errors on
187 #php_value error_reporting 2147483647
188 #php_value error_log /var/log/apache2/shaarli-php-error.log
992af0b9 189
91a21c27 190 <Directory /var/www/shaarli.mydomain.org/>
191 # Required for .htaccess support
992af0b9 192 AllowOverride All
ecdae223 193 Require all granted
bdfb967c 194 </Directory>
992af0b9 195
91a21c27 196 <LocationMatch "/\.">
197 # Prevent accessing dotfiles
198 RedirectMatch 404 ".*"
199 </LocationMatch>
3cc8c898 200
91a21c27 201 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
202 # allow client-side caching of static files
203 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
204 </LocationMatch>
3cc8c898 205
91a21c27 206 # serve the Shaarli favicon from its custom location
207 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
992af0b9 208
91a21c27 209</VirtualHost>
210```
43ad7c8e 211
91a21c27 212```bash
213# Enable the virtualhost
5eece37b 214sudo a2ensite shaarli.mydomain.org
992af0b9 215
91a21c27 216# mod_ssl must be enabled to use TLS/SSL certificates
217# https://httpd.apache.org/docs/current/mod/mod_ssl.html
218sudo a2enmod ssl
992af0b9 219
91a21c27 220# mod_rewrite must be enabled to use the REST API
221# https://httpd.apache.org/docs/current/mod/mod_rewrite.html
222sudo a2enmod rewrite
43ad7c8e 223
19489e92 224# mod_headers must be enabled to set custom headers from the server config
225sudo a2enmod headers
226
91a21c27 227# mod_version must only be enabled if you use Apache 2.2 or lower
228# https://httpd.apache.org/docs/current/mod/mod_version.html
229# sudo a2enmod version
992af0b9 230
91a21c27 231# restart the apache service
083b2802 232sudo systemctl restart apache2
91a21c27 233```
43ad7c8e 234
f682f1b8 235- [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10)
236- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
237- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
238- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
239- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
240- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
241- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
992af0b9 242
78f319fa 243
91a21c27 244### Nginx
43ad7c8e 245
538fb324 246This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
43ad7c8e 247
992af0b9 248
91a21c27 249```bash
250# install nginx and php-fpm
251sudo apt update
252sudo apt install nginx php-fpm
992af0b9 253
91a21c27 254# Edit the virtualhost configuration file with your favorite editor
255sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
992af0b9
V
256```
257
258```nginx
91a21c27 259server {
260 listen 80;
261 server_name shaarli.mydomain.org;
992af0b9 262
91a21c27 263 # redirect all plain HTTP requests to HTTPS
264 return 301 https://shaarli.mydomain.org$request_uri;
992af0b9 265}
992af0b9 266
91a21c27 267server {
a5e9f2d6 268 # ipv4 listening port/protocol
269 listen 443 ssl http2;
270 # ipv6 listening port/protocol
271 listen [::]:443 ssl http2;
91a21c27 272 server_name shaarli.mydomain.org;
273 root /var/www/shaarli.mydomain.org;
3cc8c898 274
91a21c27 275 # log file locations
276 # combined log format prepends the virtualhost/domain name to log entries
277 access_log /var/log/nginx/access.log combined;
278 error_log /var/log/nginx/error.log;
3cc8c898 279
91a21c27 280 # paths to private key and certificates for SSL/TLS
281 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
282 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
992af0b9 283
778add2c 284 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
285 ssl_session_cache shared:le_nginx_SSL:10m;
286 ssl_session_timeout 1440m;
287 ssl_session_tickets off;
288 ssl_protocols TLSv1.2 TLSv1.3;
289 ssl_prefer_server_ciphers off;
290 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
291
91a21c27 292 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
293 client_max_body_size 100m;
992af0b9 294
91a21c27 295 # relative path to shaarli from the root of the webserver
296 location / {
297 # default index file when no file URI is requested
298 index index.php;
299 try_files $uri /index.php$is_args$args;
992af0b9 300 }
992af0b9 301
91a21c27 302 location ~ (index)\.php$ {
303 try_files $uri =404;
304 # slim API - split URL path into (script_filename, path_info)
305 fastcgi_split_path_info ^(.+\.php)(/.+)$;
306 # pass PHP requests to PHP-FPM
307 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
308 fastcgi_index index.php;
309 include fastcgi.conf;
310 }
43ad7c8e 311
91a21c27 312 location ~ \.php$ {
313 # deny access to all other PHP scripts
314 # disable this if you host other PHP applications on the same virtualhost
315 deny all;
316 }
992af0b9 317
91a21c27 318 location ~ /\. {
319 # deny access to dotfiles
320 deny all;
321 }
992af0b9 322
91a21c27 323 location ~ ~$ {
324 # deny access to temp editor files, e.g. "script.php~"
325 deny all;
326 }
992af0b9 327
2f87bfdc
A
328 location ~ /doc/ {
329 default_type "text/html";
330 try_files $uri $uri/ $uri.html =404;
331 }
332
91a21c27 333 location = /favicon.ico {
334 # serve the Shaarli favicon from its custom location
335 alias /var/www/shaarli/images/favicon.ico;
336 }
992af0b9 337
91a21c27 338 # allow client-side caching of static files
339 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
340 expires max;
341 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
342 # HTTP 1.0 compatibility
343 add_header Pragma public;
344 }
f8b936e7 345
f8b936e7 346}
992af0b9
V
347```
348
91a21c27 349```bash
350# enable the configuration/virtualhost
351sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
352# reload nginx configuration
353sudo systemctl reload nginx
992af0b9
V
354```
355
f682f1b8 356- [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
357- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
358- [Nginx documentation](https://nginx.org/en/docs/)
359- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
360- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
361- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
362- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
363
538fb324 364
992af0b9 365
91a21c27 366## Reverse proxies
992af0b9 367
91a21c27 368If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
b230bf20 369
7f525042 370## Using Shaarli without URL rewriting
992af0b9 371
7f525042
A
372By default, Shaarli uses Slim framework's URL, which requires
373URL rewriting.
374
375If you can't use URL rewriting for any reason (not supported by
376your web server, shared hosting, etc.), you *can* use Shaarli
377without URL rewriting.
378
379You just need to prefix your URL by `/index.php/`.
380Example: instead of accessing `https://shaarli.mydomain.org/`,
381use `https://shaarli.mydomain.org/index.php/`.
382
383**Recommended:**
384 * after installation, in the configuration page, set your header link to `/index.php/`.
7836ed9b 385 * in your configuration file `config.json.php` set `general.root_url` to
7f525042 386 `https://shaarli.mydomain.org/index.php/`.
3cc8c898 387
91a21c27 388## Allow import of large browser bookmarks export
992af0b9 389
91a21c27 390Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
992af0b9 391
91a21c27 392- Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
393- Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
992af0b9 394
91a21c27 395```ini
53ed6d7d 396[...]
91a21c27 397# (optional) increase the maximum file upload size:
398post_max_size = 100M
399[...]
400# (optional) increase the maximum file upload size:
401upload_max_filesize = 100M
402```
992af0b9 403
91a21c27 404To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
992af0b9 405
91a21c27 406```bash
407# example
408echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
409#give read-only access to this file to the webserver user
410sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
411sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
412```
992af0b9 413
91a21c27 414Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
992af0b9 415
91a21c27 416It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
992af0b9 417
b230bf20 418
91a21c27 419## Robots and crawlers
992af0b9 420
91a21c27 421To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
3cc8c898 422
91a21c27 423```
424User-agent: *
425Disallow: /
992af0b9 426```
bdfb967c 427
91a21c27 428By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
bdfb967c 429
91a21c27 430- [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
431- [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
432- [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
433- [About robots.txt](http://www.robotstxt.org)
434- [About the robots META tag](https://www.robotstxt.org/meta.html)
bdfb967c 435
b49a04f7 436
91a21c27 437## Fail2ban
bdfb967c 438
91a21c27 439[fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
6c44d604 440
91a21c27 441```ini
442# /etc/fail2ban/filter.d/shaarli-auth.conf
443[INCLUDES]
444before = common.conf
445[Definition]
446failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
ec457491 447ignoreregex =
91a21c27 448```
bdfb967c 449
91a21c27 450```ini
451# /etc/fail2ban/jail.local
452[shaarli-auth]
453enabled = true
454port = https,http
455filter = shaarli-auth
456logpath = /var/www/shaarli.mydomain.org/data/log.txt
457# allow 3 login attempts per IP address
458# (over a period specified by findtime = in /etc/fail2ban/jail.conf)
459maxretry = 3
460# permanently ban the IP address after reaching the limit
461bantime = -1
462```
bdfb967c 463
e21df1e7 464Then restart the service: `sudo systemctl restart fail2ban`
465
91a21c27 466
f682f1b8 467## What next?
91a21c27 468
f682f1b8 469[Shaarli installation](Installation.md)