[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md

# Server configuration


## Requirements

### Operating system and web server

Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.

You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).

Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.

### Network and domain name

Try to host the server in a region that is geographically close to your users.

A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.

You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).

Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.

Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.


### PHP

Supported PHP versions:

Version | Status | Shaarli compatibility
:---:|:---:|:---:
7.3 | Supported | Yes
7.2 | Supported | Yes
7.1 | Supported | Yes
7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
5.5 | EOL: 2016-07-10 | Yes
5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)

Required PHP extensions:

Extension | Required? | Usage
---|:---:|---
[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
[`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
[`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
[`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->è->f`)
[`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
[`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)

Some [plugins](Plugins.md) may require additional configuration.


## SSL/TLS (HTTPS)

We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.

For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.

 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).

In short:

```bash
# install certbot
sudo apt install certbot

# stop your webserver if you already have one running
# certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
sudo systemctl stop apache2
sudo systemctl stop nginx

# generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
# (DNS records must be correctly pointing to  it, firewall/NAT on port 80/443 must be open)
sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
# this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem

# restart the web server
sudo systemctl start apache2
sudo systemctl start nginx
```

If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:

- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)

--------------------------------------------------------------------------------

## Examples

The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).

In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:

```bash
sudo mkdir -p /var/www/shaarli.mydomain.org/
```

You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)


### Apache

```bash
# Install apache + mod_php and PHP modules
sudo apt update
sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext

# Edit the virtualhost configuration file with your favorite editor
sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
```

```apache
<VirtualHost *:80>
    ServerName shaarli.mydomain.org
    DocumentRoot /var/www/shaarli.mydomain.org/

    # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel  warn
    # Log file locations
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    # Redirect HTTP requests to HTTPS
    RewriteEngine on
    RewriteRule ^.well-known/acme-challenge/ - [L]
    # except for Let's Encrypt ACME challenge requests
    RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
    RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName   shaarli.mydomain.org
    DocumentRoot /var/www/shaarli.mydomain.org/

    # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel  warn
    # Log file locations
    ErrorLog  /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    # SSL/TLS configuration (for Let's Encrypt certificates)
    SSLEngine             on
    SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    # SSL/TLS configuration (for self-signed certificates)
    #SSLEngine             on
    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # Optional, log PHP errors, useful for debugging
    #php_flag  log_errors on
    #php_flag  display_errors on
    #php_value error_reporting 2147483647
    #php_value error_log /var/log/apache2/shaarli-php-error.log

    <Directory /var/www/shaarli.mydomain.org/>
        # Required for .htaccess support
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    <LocationMatch "/\.">
        # Prevent accessing dotfiles
        RedirectMatch 404 ".*"
    </LocationMatch>

    <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
        # allow client-side caching of static files
        Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
    </LocationMatch>

    # serve the Shaarli favicon from its custom location
    Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico

</VirtualHost>
```

```bash
# Enable the virtualhost
sudo a2ensite shaarli

# mod_ssl must be enabled to use TLS/SSL certificates
# https://httpd.apache.org/docs/current/mod/mod_ssl.html
sudo a2enmod ssl

# mod_rewrite must be enabled to use the REST API
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html
sudo a2enmod rewrite

# mod_version must only be enabled if you use Apache 2.2 or lower
# https://httpd.apache.org/docs/current/mod/mod_version.html
# sudo a2enmod version

# restart the apache service
systemctl restart apache
```

See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.

### Nginx

Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)

You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution.


```bash
# install nginx and php-fpm
sudo apt update
sudo apt install nginx php-fpm

# Edit the virtualhost configuration file with your favorite editor
sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
```

```nginx
server {
    listen       80;
    server_name  shaarli.mydomain.org;

    # redirect all plain HTTP requests to HTTPS
    return 301 https://shaarli.mydomain.org$request_uri;
}

server {
    listen       443 ssl;
    server_name  shaarli.mydomain.org;
    root         /var/www/shaarli.mydomain.org;

    # log file locations
    # combined log format prepends the virtualhost/domain name to log entries
    access_log  /var/log/nginx/access.log combined;
    error_log   /var/log/nginx/error.log;

    # paths to private key and certificates for SSL/TLS
    ssl_certificate      /etc/ssl/shaarli.mydomain.org.crt;
    ssl_certificate_key  /etc/ssl/private/shaarli.mydomain.org.key;

    # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
    client_max_body_size 100m;

    # relative path to shaarli from the root of the webserver
    location / {
        # default index file when no file URI is requested
        index index.php;
        try_files $uri /index.php$is_args$args;
    }

    location ~ (index)\.php$ {
        try_files $uri =404;
        # slim API - split URL path into (script_filename, path_info)
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # pass PHP requests to PHP-FPM
        fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        include        fastcgi.conf;
    }

    location ~ \.php$ {
        # deny access to all other PHP scripts
        # disable this if you host other PHP applications on the same virtualhost
        deny all;
    }

    location ~ /\. {
        # deny access to dotfiles
        deny all;
    }

    location ~ ~$ {
        # deny access to temp editor files, e.g. "script.php~"
        deny all;
    }

    location = /favicon.ico {
        # serve the Shaarli favicon from its custom location
        alias /var/www/shaarli/images/favicon.ico;
    }

    # allow client-side caching of static files
    location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
        expires    max;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        # HTTP 1.0 compatibility
        add_header Pragma public;
    }

}
```

```bash
# enable the configuration/virtualhost
sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
# reload nginx configuration
sudo systemctl reload nginx
```


## Reverse proxies

If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.


## Allow import of large browser bookmarks export

Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.

- Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
- Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))

```ini
[...]
# (optional) increase the maximum file upload size:
post_max_size = 100M
[...]
# (optional) increase the maximum file upload size:
upload_max_filesize = 100M
```

To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root

```bash
# example
echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
#give read-only access to this file to the webserver user
sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
```

Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries

It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.


## Robots and crawlers

To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:

```
User-agent: *
Disallow: /
```

By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.

- [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
- [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
- [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
- [About robots.txt](http://www.robotstxt.org)
- [About the robots META tag](https://www.robotstxt.org/meta.html)


## Fail2ban

[fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:

```ini
# /etc/fail2ban/filter.d/shaarli-auth.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
ignoreregex = 
```

```ini
# /etc/fail2ban/jail.local
[shaarli-auth]
enabled  = true
port     = https,http
filter   = shaarli-auth
logpath  = /var/www/shaarli.mydomain.org/data/log.txt
# allow 3 login attempts per IP address
# (over a period specified by findtime = in /etc/fail2ban/jail.conf)
maxretry = 3
# permanently ban the IP address after reaching the limit
bantime = -1
```

#### References

- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
- [Nginx documentation](https://nginx.org/en/docs/)
- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
- [PHP: Supported versions](http://php.net/supported-versions.php)
- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
- [PHP: Bugs](https://bugs.php.net/)
- [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
- Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
Commit	Line	Data
	1	# Server configuration
	2
	3
	4
	5	## Requirements
	6
	7	### Operating system and web server
	8
	9	Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
	10
	11	You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
	12
	13	Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
	14
	15	### Network and domain name
	16
	17	Try to host the server in a region that is geographically close to your users.
	18
	19	A domain name ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
	20
	21	You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
	22
	23	Setup a firewall (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these ports are forwarded to the server.
	24
	25	Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
	26
	27
	28	### PHP
	29
	30	Supported PHP versions:
	31
	32	Version \| Status \| Shaarli compatibility
	33	:---:\|:---:\|:---:
	34	7.3 \| Supported \| Yes
	35	7.2 \| Supported \| Yes
	36	7.1 \| Supported \| Yes
	37	7.0 \| EOL: 2018-12-03 \| Yes (up to Shaarli 0.10.x)
	38	5.6 \| EOL: 2018-12-31 \| Yes (up to Shaarli 0.10.x)
	39	5.5 \| EOL: 2016-07-10 \| Yes
	40	5.4 \| EOL: 2015-09-14 \| Yes (up to Shaarli 0.8.x)
	41	5.3 \| EOL: 2014-08-14 \| Yes (up to Shaarli 0.8.x)
	42
	43	Required PHP extensions:
	44
	45	Extension \| Required? \| Usage
	46	---\|:---:\|---
	47	[`openssl`](http://php.net/manual/en/book.openssl.php) \| All \| OpenSSL, HTTPS
	48	[`php-json`](http://php.net/manual/en/book.json.php) \| required \| configuration parsing
	49	[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) \| CentOS, Fedora, RHEL, Windows, some hosting providers \| multibyte (Unicode) string support
	50	[`php-gd`](http://php.net/manual/en/book.image.php) \| optional \| required to use thumbnails
	51	[`php-intl`](http://php.net/manual/en/book.intl.php) \| optional \| localized text sorting (e.g. `e->è->f`)
	52	[`php-curl`](http://php.net/manual/en/book.curl.php) \| optional \| using cURL for fetching webpages and thumbnails in a more robust way
	53	[`php-gettext`](http://php.net/manual/en/book.gettext.php) \| optional \| Use the translation system in gettext mode (faster)
	54
	55	Some [plugins](Plugins.md) may require additional configuration.
	56
	57
	58	## SSL/TLS (HTTPS)
	59
	60	We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
	61
	62	For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
	63
	64	- [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
	65	- [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
	66	- [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
	67
	68	In short:
	69
	70	```bash
	71	# install certbot
	72	sudo apt install certbot
	73
	74	# stop your webserver if you already have one running
	75	# certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
	76	sudo systemctl stop apache2
	77	sudo systemctl stop nginx
	78
	79	# generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
	80	# (DNS records must be correctly pointing to it, firewall/NAT on port 80/443 must be open)
	81	sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
	82	# this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
	83
	84	# restart the web server
	85	sudo systemctl start apache2
	86	sudo systemctl start nginx
	87	```
	88
	89	If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
	90
	91	- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
	92	- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
	93
	94	--------------------------------------------------------------------------------
	95
	96	## Examples
	97
	98	The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
	99
	100	In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
	101
	102	```bash
	103	sudo mkdir -p /var/www/shaarli.mydomain.org/
	104	```
	105
	106	You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
	107
	108
	109	### Apache
	110
	111	```bash
	112	# Install apache + mod_php and PHP modules
	113	sudo apt update
	114	sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
	115
	116	# Edit the virtualhost configuration file with your favorite editor
	117	sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
	118	```
	119
	120	```apache
	121	<VirtualHost *:80>
	122	ServerName shaarli.mydomain.org
	123	DocumentRoot /var/www/shaarli.mydomain.org/
	124
	125	# Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	126	LogLevel warn
	127	# Log file locations
	128	ErrorLog /var/log/apache2/error.log
	129	CustomLog /var/log/apache2/access.log combined
	130
	131	# Redirect HTTP requests to HTTPS
	132	RewriteEngine on
	133	RewriteRule ^.well-known/acme-challenge/ - [L]
	134	# except for Let's Encrypt ACME challenge requests
	135	RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
	136	RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
	137	</VirtualHost>
	138
	139	<VirtualHost *:443>
	140	ServerName shaarli.mydomain.org
	141	DocumentRoot /var/www/shaarli.mydomain.org/
	142
	143	# Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	144	LogLevel warn
	145	# Log file locations
	146	ErrorLog /var/log/apache2/error.log
	147	CustomLog /var/log/apache2/access.log combined
	148
	149	# SSL/TLS configuration (for Let's Encrypt certificates)
	150	SSLEngine on
	151	SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
	152	SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
	153	Include /etc/letsencrypt/options-ssl-apache.conf
	154
	155	# SSL/TLS configuration (for self-signed certificates)
	156	#SSLEngine on
	157	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	158	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	159
	160	# Optional, log PHP errors, useful for debugging
	161	#php_flag log_errors on
	162	#php_flag display_errors on
	163	#php_value error_reporting 2147483647
	164	#php_value error_log /var/log/apache2/shaarli-php-error.log
	165
	166	<Directory /var/www/shaarli.mydomain.org/>
	167	# Required for .htaccess support
	168	AllowOverride All
	169	Order allow,deny
	170	Allow from all
	171	</Directory>
	172
	173	<LocationMatch "/\.">
	174	# Prevent accessing dotfiles
	175	RedirectMatch 404 ".*"
	176	</LocationMatch>
	177
	178	<LocationMatch "\.(?:ico\|css\|js\|gif\|jpe?g\|png)$">
	179	# allow client-side caching of static files
	180	Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
	181	</LocationMatch>
	182
	183	# serve the Shaarli favicon from its custom location
	184	Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
	185
	186	</VirtualHost>
	187	```
	188
	189	```bash
	190	# Enable the virtualhost
	191	sudo a2ensite shaarli
	192
	193	# mod_ssl must be enabled to use TLS/SSL certificates
	194	# https://httpd.apache.org/docs/current/mod/mod_ssl.html
	195	sudo a2enmod ssl
	196
	197	# mod_rewrite must be enabled to use the REST API
	198	# https://httpd.apache.org/docs/current/mod/mod_rewrite.html
	199	sudo a2enmod rewrite
	200
	201	# mod_version must only be enabled if you use Apache 2.2 or lower
	202	# https://httpd.apache.org/docs/current/mod/mod_version.html
	203	# sudo a2enmod version
	204
	205	# restart the apache service
	206	systemctl restart apache
	207	```
	208
	209	See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
	210
	211	### Nginx
	212
	213	Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
	214
	215	You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution.
	216
	217
	218	```bash
	219	# install nginx and php-fpm
	220	sudo apt update
	221	sudo apt install nginx php-fpm
	222
	223	# Edit the virtualhost configuration file with your favorite editor
	224	sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
	225	```
	226
	227	```nginx
	228	server {
	229	listen 80;
	230	server_name shaarli.mydomain.org;
	231
	232	# redirect all plain HTTP requests to HTTPS
	233	return 301 https://shaarli.mydomain.org$request_uri;
	234	}
	235
	236	server {
	237	listen 443 ssl;
	238	server_name shaarli.mydomain.org;
	239	root /var/www/shaarli.mydomain.org;
	240
	241	# log file locations
	242	# combined log format prepends the virtualhost/domain name to log entries
	243	access_log /var/log/nginx/access.log combined;
	244	error_log /var/log/nginx/error.log;
	245
	246	# paths to private key and certificates for SSL/TLS
	247	ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
	248	ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
	249
	250	# increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
	251	client_max_body_size 100m;
	252
	253	# relative path to shaarli from the root of the webserver
	254	location / {
	255	# default index file when no file URI is requested
	256	index index.php;
	257	try_files $uri /index.php$is_args$args;
	258	}
	259
	260	location ~ (index)\.php$ {
	261	try_files $uri =404;
	262	# slim API - split URL path into (script_filename, path_info)
	263	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	264	# pass PHP requests to PHP-FPM
	265	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	266	fastcgi_index index.php;
	267	include fastcgi.conf;
	268	}
	269
	270	location ~ \.php$ {
	271	# deny access to all other PHP scripts
	272	# disable this if you host other PHP applications on the same virtualhost
	273	deny all;
	274	}
	275
	276	location ~ /\. {
	277	# deny access to dotfiles
	278	deny all;
	279	}
	280
	281	location ~ ~$ {
	282	# deny access to temp editor files, e.g. "script.php~"
	283	deny all;
	284	}
	285
	286	location = /favicon.ico {
	287	# serve the Shaarli favicon from its custom location
	288	alias /var/www/shaarli/images/favicon.ico;
	289	}
	290
	291	# allow client-side caching of static files
	292	location ~* \.(?:ico\|css\|js\|gif\|jpe?g\|png)$ {
	293	expires max;
	294	add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	295	# HTTP 1.0 compatibility
	296	add_header Pragma public;
	297	}
	298
	299	}
	300	```
	301
	302	```bash
	303	# enable the configuration/virtualhost
	304	sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
	305	# reload nginx configuration
	306	sudo systemctl reload nginx
	307	```
	308
	309
	310	## Reverse proxies
	311
	312	If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
	313
	314
	315
	316	## Allow import of large browser bookmarks export
	317
	318	Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
	319
	320	- Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
	321	- Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
	322
	323	```ini
	324	[...]
	325	# (optional) increase the maximum file upload size:
	326	post_max_size = 100M
	327	[...]
	328	# (optional) increase the maximum file upload size:
	329	upload_max_filesize = 100M
	330	```
	331
	332	To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
	333
	334	```bash
	335	# example
	336	echo '<?php phpinfo(); ?>' \| sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
	337	#give read-only access to this file to the webserver user
	338	sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
	339	sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
	340	```
	341
	342	Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
	343
	344	It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
	345
	346
	347	## Robots and crawlers
	348
	349	To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
	350
	351	```
	352	User-agent: *
	353	Disallow: /
	354	```
	355
	356	By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
	357
	358	- [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
	359	- [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
	360	- [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
	361	- [About robots.txt](http://www.robotstxt.org)
	362	- [About the robots META tag](https://www.robotstxt.org/meta.html)
	363
	364
	365	## Fail2ban
	366
	367	[fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
	368
	369	```ini
	370	# /etc/fail2ban/filter.d/shaarli-auth.conf
	371	[INCLUDES]
	372	before = common.conf
	373	[Definition]
	374	failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
	375	ignoreregex =
	376	```
	377
	378	```ini
	379	# /etc/fail2ban/jail.local
	380	[shaarli-auth]
	381	enabled = true
	382	port = https,http
	383	filter = shaarli-auth
	384	logpath = /var/www/shaarli.mydomain.org/data/log.txt
	385	# allow 3 login attempts per IP address
	386	# (over a period specified by findtime = in /etc/fail2ban/jail.conf)
	387	maxretry = 3
	388	# permanently ban the IP address after reaching the limit
	389	bantime = -1
	390	```
	391
	392	#### References
	393
	394	- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
	395	- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
	396	- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
	397	- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
	398	- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
	399	- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
	400	- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
	401	- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
	402	- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
	403	- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
	404	- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
	405	- [Nginx documentation](https://nginx.org/en/docs/)
	406	- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
	407	- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
	408	- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
	409	- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
	410	- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
	411	- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
	412	- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
	413	- [PHP: Supported versions](http://php.net/supported-versions.php)
	414	- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
	415	- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
	416	- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
	417	- [PHP: Bugs](https://bugs.php.net/)
	418	- [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
	419	- Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
	420
	421