]>
Commit | Line | Data |
---|---|---|
1 | # Reverse proxy | |
2 | ||
3 | If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example: | |
4 | ||
5 | - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`). | |
6 | - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine. | |
7 | - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`. | |
8 | - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy. | |
9 | ||
10 | In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`. | |
11 | ||
12 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. | |
13 | ||
14 | ||
15 | ## Apache | |
16 | ||
17 | ```apache | |
18 | <VirtualHost *:80> | |
19 | ServerName shaarli.mydomain.org | |
20 | # Redirect HTTP to HTTPS | |
21 | Redirect permanent / https://shaarli.mydomain.org | |
22 | </VirtualHost> | |
23 | ||
24 | <VirtualHost *:443> | |
25 | ServerName shaarli.mydomain.org | |
26 | ||
27 | SSLEngine on | |
28 | SSLCertificateFile /path/to/certificate | |
29 | SSLCertificateKeyFile /path/to/private/key | |
30 | ||
31 | LogLevel warn | |
32 | ErrorLog /var/log/apache2/error.log | |
33 | CustomLog /var/log/apache2/access.log combined | |
34 | ||
35 | # let the proxied shaarli server/container know HTTPS URLs should be served | |
36 | RequestHeader set X-Forwarded-Proto "https" | |
37 | ||
38 | # send the original SERVER_NAME to the proxied host | |
39 | ProxyPreserveHost On | |
40 | ||
41 | # pass requests to the proxied host | |
42 | # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers | |
43 | ProxyPass / http://127.0.0.1:10080/ | |
44 | ProxyPassReverse / http://127.0.0.1:10080/ | |
45 | </VirtualHost> | |
46 | ``` | |
47 | ||
48 | ||
49 | ## HAProxy | |
50 | ||
51 | ||
52 | ```conf | |
53 | global | |
54 | [...] | |
55 | ||
56 | defaults | |
57 | [...] | |
58 | ||
59 | frontend http-in | |
60 | bind :80 | |
61 | redirect scheme https code 301 if !{ ssl_fc } | |
62 | bind :443 ssl crt /path/to/cert.pem | |
63 | default_backend shaarli | |
64 | ||
65 | backend shaarli | |
66 | mode http | |
67 | option http-server-close | |
68 | option forwardfor | |
69 | reqadd X-Forwarded-Proto: https | |
70 | server shaarli1 127.0.0.1:10080 | |
71 | ``` | |
72 | ||
73 | ||
74 | ## Nginx | |
75 | ||
76 | ||
77 | ```nginx | |
78 | http { | |
79 | [...] | |
80 | ||
81 | index index.html index.php; | |
82 | ||
83 | root /home/john/web; | |
84 | access_log /var/log/nginx/access.log combined; | |
85 | error_log /var/log/nginx/error.log; | |
86 | ||
87 | server { | |
88 | listen 80; | |
89 | server_name shaarli.mydomain.org; | |
90 | # redirect HTTP to HTTPS | |
91 | return 301 https://shaarli.mydomain.org$request_uri; | |
92 | } | |
93 | ||
94 | server { | |
95 | listen 443 ssl http2; | |
96 | server_name shaarli.mydomain.org; | |
97 | ||
98 | ssl_certificate /path/to/certificate | |
99 | ssl_certificate_key /path/to/private/key | |
100 | ||
101 | location / { | |
102 | proxy_set_header X-Real-IP $remote_addr; | |
103 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
104 | proxy_set_header X-Forwarded-Proto $scheme; | |
105 | proxy_set_header X-Forwarded-Host $host; | |
106 | ||
107 | # pass requests to the proxied host | |
108 | proxy_pass http://localhost:10080/; | |
109 | proxy_set_header Host $host; | |
110 | proxy_connect_timeout 30s; | |
111 | proxy_read_timeout 120s; | |
112 | } | |
113 | } | |
114 | } | |
115 | ``` | |
116 |