]>
Commit | Line | Data |
---|---|---|
1 | # Reverse proxy | |
2 | ||
3 | If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example: | |
4 | ||
5 | - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`). | |
6 | - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine. | |
7 | - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`. | |
8 | - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy. | |
9 | ||
10 | In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`. | |
11 | ||
12 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. | |
13 | ||
14 | ||
15 | ## Apache | |
16 | ||
17 | ```apache | |
18 | <VirtualHost *:80> | |
19 | ServerName shaarli.mydomain.org | |
20 | ||
21 | # For SSL/TLS certificates acquired with certbot or self-signed certificates | |
22 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests | |
23 | RewriteEngine on | |
24 | RewriteRule ^.well-known/acme-challenge/ - [L] | |
25 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org | |
26 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] | |
27 | </VirtualHost> | |
28 | ||
29 | # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md | |
30 | #MDomain shaarli.mydomain.org | |
31 | #MDCertificateAgreement accepted | |
32 | #MDContactEmail admin@shaarli.mydomain.org | |
33 | #MDPrivateKeys RSA 4096 | |
34 | ||
35 | <VirtualHost *:443> | |
36 | ServerName shaarli.mydomain.org | |
37 | ||
38 | # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone | |
39 | SSLEngine on | |
40 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem | |
41 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | |
42 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | |
43 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
44 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
45 | SSLHonorCipherOrder off | |
46 | SSLSessionTickets off | |
47 | SSLOptions +StrictRequire | |
48 | ||
49 | # SSL/TLS configuration for self-signed certificates | |
50 | #SSLEngine on | |
51 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | |
52 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | |
53 | ||
54 | # let the proxied shaarli server/container know HTTPS URLs should be served | |
55 | RequestHeader set X-Forwarded-Proto "https" | |
56 | ||
57 | # send the original SERVER_NAME to the proxied host | |
58 | ProxyPreserveHost On | |
59 | ||
60 | # pass requests to the proxied host | |
61 | # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers | |
62 | ProxyPass / http://127.0.0.1:10080/ | |
63 | ProxyPassReverse / http://127.0.0.1:10080/ | |
64 | </VirtualHost> | |
65 | ``` | |
66 | ||
67 | ||
68 | ## HAProxy | |
69 | ||
70 | ||
71 | ```conf | |
72 | global | |
73 | [...] | |
74 | ||
75 | defaults | |
76 | [...] | |
77 | ||
78 | frontend http-in | |
79 | bind :80 | |
80 | redirect scheme https code 301 if !{ ssl_fc } | |
81 | bind :443 ssl crt /path/to/cert.pem | |
82 | default_backend shaarli | |
83 | ||
84 | backend shaarli | |
85 | mode http | |
86 | option http-server-close | |
87 | option forwardfor | |
88 | reqadd X-Forwarded-Proto: https | |
89 | server shaarli1 127.0.0.1:10080 | |
90 | ``` | |
91 | ||
92 | - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) | |
93 | ||
94 | ## Nginx | |
95 | ||
96 | ||
97 | ```nginx | |
98 | http { | |
99 | [...] | |
100 | ||
101 | index index.html index.php; | |
102 | ||
103 | root /home/john/web; | |
104 | access_log /var/log/nginx/access.log combined; | |
105 | error_log /var/log/nginx/error.log; | |
106 | ||
107 | server { | |
108 | listen 80; | |
109 | server_name shaarli.mydomain.org; | |
110 | # redirect HTTP to HTTPS | |
111 | return 301 https://shaarli.mydomain.org$request_uri; | |
112 | } | |
113 | ||
114 | server { | |
115 | listen 443 ssl http2; | |
116 | server_name shaarli.mydomain.org; | |
117 | ||
118 | ssl_certificate /path/to/certificate | |
119 | ssl_certificate_key /path/to/private/key | |
120 | ||
121 | location / { | |
122 | proxy_set_header X-Real-IP $remote_addr; | |
123 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
124 | proxy_set_header X-Forwarded-Proto $scheme; | |
125 | proxy_set_header X-Forwarded-Host $host; | |
126 | ||
127 | # pass requests to the proxied host | |
128 | proxy_pass http://localhost:10080/; | |
129 | proxy_set_header Host $host; | |
130 | proxy_connect_timeout 30s; | |
131 | proxy_read_timeout 120s; | |
132 | } | |
133 | } | |
134 | } | |
135 | ``` | |
136 | ||
137 | ## References | |
138 | ||
139 | - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) | |
140 | - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) | |
141 | - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) |