[github/shaarli/Shaarli.git] / doc / md / docker / reverse-proxy-configuration.md

## Foreword

This guide assumes that:

- Shaarli runs in a Docker container
- The host's `10080` port is mapped to the container's `80` port
- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.domain.tld`
- HTTP traffic is redirected to HTTPS

## Apache

- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
    - [mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
    - [Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)

The following HTTP headers are set by using the `ProxyPass` directive:

- `X-Forwarded-For`
- `X-Forwarded-Host`
- `X-Forwarded-Server`

```apache
<VirtualHost *:80>
    ServerName shaarli.domain.tld
    Redirect permanent / https://shaarli.domain.tld
</VirtualHost>

<VirtualHost *:443>
    ServerName shaarli.domain.tld

    SSLEngine on
    SSLCertificateFile    /path/to/cert
    SSLCertificateKeyFile /path/to/certkey

    LogLevel warn
    ErrorLog  /var/log/apache2/shaarli-error.log
    CustomLog /var/log/apache2/shaarli-access.log combined

    RequestHeader set X-Forwarded-Proto "https"

    ProxyPass        / http://127.0.0.1:10080/
    ProxyPassReverse / http://127.0.0.1:10080/
</VirtualHost>
```


## HAProxy

- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)

```conf
global
    [...]

defaults
    [...]

frontend http-in
    bind :80
	redirect scheme https code 301 if !{ ssl_fc }

	bind :443 ssl crt /path/to/cert.pem

	default_backend shaarli


backend shaarli
    mode http
    option http-server-close
    option forwardfor
    reqadd X-Forwarded-Proto: https

    server shaarli1 127.0.0.1:10080
```


## Nginx

- [Nginx documentation](https://nginx.org/en/docs/)

```nginx
http {
    [...]

    index index.html index.php;

    root        /home/john/web;
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

	server {
		listen       80;
		server_name  shaarli.domain.tld;
		return       301 https://shaarli.domain.tld$request_uri;
	}

	server {
		listen       443 ssl http2;
		server_name  shaarli.domain.tld;

        ssl_certificate       /path/to/cert
        ssl_certificate_key   /path/to/certkey

		location / {
			proxy_set_header  X-Real-IP         $remote_addr;
			proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
			proxy_set_header  X-Forwarded-Proto $scheme;
			proxy_set_header  X-Forwarded-Host  $host;

			proxy_pass             http://localhost:10080/;
			proxy_set_header Host  $host;
			proxy_connect_timeout  30s;
			proxy_read_timeout     120s;

			access_log      /var/log/nginx/shaarli.access.log;
			error_log       /var/log/nginx/shaarli.error.log;
		}
	}
}
```
Commit	Line	Data
1a2c5dde V	1	## Foreword
	2
	3	This guide assumes that:
	4
	5	- Shaarli runs in a Docker container
	6	- The host's `10080` port is mapped to the container's `80` port
	7	- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.domain.tld`
	8	- HTTP traffic is redirected to HTTPS
	9
	10	## Apache
	11
	12	- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
	13	- [mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
	14	- [Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
	15
	16	The following HTTP headers are set by using the `ProxyPass` directive:
	17
	18	- `X-Forwarded-For`
	19	- `X-Forwarded-Host`
	20	- `X-Forwarded-Server`
	21
	22	```apache
	23	<VirtualHost *:80>
	24	ServerName shaarli.domain.tld
	25	Redirect permanent / https://shaarli.domain.tld
	26	</VirtualHost>
	27
	28	<VirtualHost *:443>
	29	ServerName shaarli.domain.tld
	30
	31	SSLEngine on
	32	SSLCertificateFile /path/to/cert
	33	SSLCertificateKeyFile /path/to/certkey
	34
	35	LogLevel warn
	36	ErrorLog /var/log/apache2/shaarli-error.log
	37	CustomLog /var/log/apache2/shaarli-access.log combined
	38
	39	RequestHeader set X-Forwarded-Proto "https"
	40
	41	ProxyPass / http://127.0.0.1:10080/
	42	ProxyPassReverse / http://127.0.0.1:10080/
	43	</VirtualHost>
	44	```
53ed6d7d	45
53ed6d7d	46
	47	## HAProxy
	48
1a2c5dde V	49	- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
	50
	51	```conf
	52	global
	53	[...]
	54
	55	defaults
	56	[...]
	57
	58	frontend http-in
	59	bind :80
	60	redirect scheme https code 301 if !{ ssl_fc }
	61
	62	bind :443 ssl crt /path/to/cert.pem
	63
	64	default_backend shaarli
	65
	66
	67	backend shaarli
	68	mode http
	69	option http-server-close
	70	option forwardfor
	71	reqadd X-Forwarded-Proto: https
	72
	73	server shaarli1 127.0.0.1:10080
	74	```
	75
	76
53ed6d7d	77	## Nginx
1a2c5dde V	78
	79	- [Nginx documentation](https://nginx.org/en/docs/)
	80
	81	```nginx
	82	http {
	83	[...]
	84
	85	index index.html index.php;
	86
	87	root /home/john/web;
	88	access_log /var/log/nginx/access.log;
	89	error_log /var/log/nginx/error.log;
	90
	91	server {
	92	listen 80;
	93	server_name shaarli.domain.tld;
	94	return 301 https://shaarli.domain.tld$request_uri;
	95	}
	96
	97	server {
	98	listen 443 ssl http2;
	99	server_name shaarli.domain.tld;
	100
	101	ssl_certificate /path/to/cert
	102	ssl_certificate_key /path/to/certkey
	103
	104	location / {
	105	proxy_set_header X-Real-IP $remote_addr;
	106	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	107	proxy_set_header X-Forwarded-Proto $scheme;
	108	proxy_set_header X-Forwarded-Host $host;
	109
	110	proxy_pass http://localhost:10080/;
	111	proxy_set_header Host $host;
	112	proxy_connect_timeout 30s;
	113	proxy_read_timeout 120s;
	114
	115	access_log /var/log/nginx/shaarli.access.log;
	116	error_log /var/log/nginx/shaarli.error.log;
	117	}
	118	}
	119	}
	120	```