77 <h1 id="server-configuration">Server configuration</h1>
78 <p><em>Example virtual host configurations for popular web servers</em></p>
79 <ul>
80 <li><a href="#apache">Apache</a><a href=".html"></a></li>
81 <li><a href="#lighthttpd">LightHttpd</a> (empty)<a href=".html"></a></li>
82 <li><a href="#nginx">Nginx</a><a href=".html"></a></li>
83 </ul>
84 <h2 id="prerequisites">Prerequisites</h2>
85 <ul>
86 <li>Shaarli is installed in a directory readable/writeable by the user</li>
87 <li>the correct read/write permissions have been granted to the web server <em>user and/or group</em></li>
88 <li>for HTTPS / SSL:</li>
89 <li>a key pair (public, private) and a certificate have been generated</li>
90 <li>the appropriate server SSL extension is installed and active</li>
91 </ul>
92 <p>Related guides:</p>
93 <ul>
94 <li><a href="http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php">How to Create Self-Signed SSL Certificates with OpenSSL</a><a href=".html"></a></li>
95 <li><a href="https://workaround.org/certificate-authority">How do I create my own Certificate Authority?</a><a href=".html"></a></li>
96 </ul>
97 <h2 id="apache">Apache</h2>
98 <h3 id="minimal">Minimal</h3>
99 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
100 ServerName<span class="st"> shaarli.my-domain.org</span>
101 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
102 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
103 <h3 id="debug---log-all-the-things">Debug - Log all the things!</h3>
104 <p>This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.</p>
105 <p>See:</p>
106 <ul>
107 <li><a href="http://stackoverflow.com/q/176">Apache/PHP - error log per VirtualHost</a> (StackOverflow)<a href=".html"></a></li>
108 <li><a href="PHP:%20php_value%20vs%20php_admin_value%20and%20the%20use%20of%20php_flag%20explained">PHP: php_value vs php_admin_value and the use of php_flag explained</a><a href=".html"></a></li>
109 </ul>
110 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
111 ServerName<span class="st"> shaarli.my-domain.org</span>
112 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
114 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
115 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
116 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
118 php_flag log_errors on
119 php_flag display_errors on
120 php_value error_reporting 2147483647
121 php_value error_log /var/log/apache2/shaarli-php-error.log
122 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
123 <h3 id="standard---keep-access-and-error-logs">Standard - Keep access and error logs</h3>
124 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
125 ServerName<span class="st"> shaarli.my-domain.org</span>
126 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
128 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
129 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
130 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
131 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
132 <h3 id="paranoid---redirect-http-80-to-https-443">Paranoid - Redirect HTTP (:80) to HTTPS (:443)</h3>
133 <p>See <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">Server-side TLS</a> (Mozilla).<a href=".html"></a></p>
134 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:443</span><span class="fu">&gt;</span>
135 ServerName<span class="st"> shaarli.my-domain.org</span>
136 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
138 <span class="ot">SSLEngine</span><span class="ch"> </span><span class="kw">on</span>
139 SSLCertificateFile<span class="st"> /absolute/path/to/the/website/certificate.crt</span>
140 SSLCertificateKeyFile<span class="st"> /absolute/path/to/the/website/key.key</span>
142 <span class="fu">&lt;Directory</span><span class="ot"> /absolute/path/to/shaarli/</span><span class="fu">&gt;</span>
143 <span class="ot">AllowOverride</span><span class="ch"> </span><span class="kw">All</span>
144 <span class="ot">Options</span><span class="ch"> </span><span class="kw">Indexes</span><span class="ch"> </span><span class="kw">FollowSymLinks</span><span class="ch"> </span><span class="kw">MultiViews</span>
145 <span class="ot">Order</span><span class="ch"> </span><span class="kw">allow,deny</span>
146 allow<span class="st"> from all</span>
147 <span class="fu">&lt;/Directory&gt;</span>
149 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
150 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
151 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
152 <span class="fu">&lt;/VirtualHost&gt;</span>
153 <span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
154 ServerName<span class="st"> shaarli.my-domain.org</span>
155 Redirect<span class="st"> 301 / https://shaarli.my-domain.org</span>
157 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
158 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
159 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
160 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
161 <h2 id="lighthttpd">LightHttpd</h2>
162 <h2 id="nginx">Nginx</h2>
163 <h3 id="foreword">Foreword</h3>
164 <p>Nginx does not natively interpret PHP scripts; to this effect, we will run a <a href="https://en.wikipedia.org/wiki/FastCGI">FastCGI</a> service, to which Nginx's FastCGI module will proxy all requests to PHP resources.<a href=".html"></a></p>
165 <p>Required packages:</p>
166 <ul>
167 <li><a href="http://nginx.org">nginx</a><a href=".html"></a></li>
168 <li><a href="http://php-fpm.org">php-fpm</a> - PHP FastCGI Process Manager<a href=".html"></a></li>
169 </ul>
170 <p>Official documentation:</p>
171 <ul>
172 <li><a href="http://nginx.org/en/docs/beginners_guide.html">Beginner's guide</a><a href=".html"></a></li>
173 <li><a href="http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html">ngx_http_fastcgi_module</a><a href=".html"></a></li>
174 <li><a href="http://wiki.nginx.org/Pitfalls">Pitfalls</a><a href=".html"></a></li>
175 </ul>
176 <p>Community resources:</p>
177 <ul>
178 <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx">Server-side TLS (Nginx)</a> (Mozilla)<a href=".html"></a></li>
179 <li><a href="http://kbeezie.com/nginx-configuration-examples/">PHP configuration examples</a> (Karl Blessing)<a href=".html"></a></li>
180 </ul>
181 <h3 id="common-setup">Common setup</h3>
182 <p>Once Nginx and PHP-FPM are installed, we need to ensure:</p>
183 <ul>
184 <li>Nginx and PHP-FPM are running using the <em>same user and group</em></li>
185 <li>both these user and group have
186 <ul>
187 <li><code>read</code> permissions for Shaarli resources</li>
188 <li><code>execute</code> permissions for Shaarli directories <em>AND</em> their parent directories</li>
189 </ul></li>
190 </ul>
191 <p>On a production server:</p>
192 <ul>
193 <li><code>user:group</code> will likely be <code>http:http</code>, <code>www:www</code> or <code>www-data:www-data</code></li>
194 <li>files will be located under <code>/var/www</code>, <code>/var/http</code> or <code>/usr/share/nginx</code></li>
195 </ul>
196 <p>On a development server:</p>
197 <ul>
198 <li>files may be located in a user's home directory</li>
199 <li>in this case, make sure both Nginx and PHP-FPM are running as the local user/group!</li>
200 </ul>
201 <p>For all following examples, a development configuration will be used:</p>
202 <ul>
203 <li><code>user:group = john:users</code>,</li>
204 </ul>
205 <p>which corresponds to the following service configuration:</p>
206 <pre class="sourceCode ini"><code class="sourceCode ini"><span class="co">; /etc/php/php-fpm.conf</span>
207 <span class="dt">user </span><span class="ot">=</span><span class="st"> john</span>
208 <span class="dt">group </span><span class="ot">=</span><span class="st"> users</span>
210 <span class="kw">[...][]</span><span class="dt">(.html)</span>
211 <span class="dt">listen.owner </span><span class="ot">=</span><span class="st"> john</span>
212 <span class="dt">listen.group </span><span class="ot">=</span><span class="st"> users</span></code></pre>
213 <pre class="nginx"><code># /etc/nginx/nginx.conf
214 user john users;
216 http {
217 [...][](.html)
218 }</code></pre>
219 <h3 id="minimal-1">Minimal</h3>
220 <p><em>WARNING: Use for development only!</em></p>
221 <pre class="nginx"><code>user john users;
222 worker_processes 1;
223 events {
224 worker_connections 1024;
225 }
227 http {
228 include mime.types;
229 default_type application/octet-stream;
230 keepalive_timeout 20;
232 index index.html index.php;
234 server {
235 listen 80;
236 server_name localhost;
237 root /home/john/web;
239 access_log /var/log/nginx/access.log;
240 error_log /var/log/nginx/error.log;
242 location /shaarli/ {
243 access_log /var/log/nginx/shaarli.access.log;
244 error_log /var/log/nginx/shaarli.error.log;
245 }
247 location ~ (index)\.php$ {
248 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
249 fastcgi_index index.php;
250 include fastcgi.conf;
251 }
252 }
253 }</code></pre>
254 <h3 id="modular">Modular</h3>
255 <p>The previous setup is sufficient for development purposes, but has several major caveats:</p>
256 <ul>
257 <li>every content that does not match the PHP rule will be sent to client browsers:
258 <ul>
259 <li>dotfiles - in our case, <code>.htaccess</code></li>
260 <li>temporary files, e.g. Vim or Emacs files: <code>index.php~</code></li>
261 </ul></li>
262 <li>asset / static resource caching is not optimized</li>
263 <li>if serving several PHP sites, there will be a lot of duplication: <code>location /shaarli/</code>, <code>location /mysite/</code>, etc.</li>
264 </ul>
265 <p>To solve this, we will split Nginx configuration in several parts, that will be included when needed:</p>
266 <pre class="nginx"><code># /etc/nginx/deny.conf
267 location ~ /\. {
268 # deny access to dotfiles
269 access_log off;
270 log_not_found off;
271 deny all;
272 }
274 location ~ ~$ {
275 # deny access to temp editor files, e.g. &quot;script.php~&quot;
276 access_log off;
277 log_not_found off;
278 deny all;
279 }</code></pre>
280 <pre class="nginx"><code># /etc/nginx/php.conf
281 location ~ (index)\.php$ {
282 # proxy PHP requests to PHP-FPM
283 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
284 fastcgi_index index.php;
285 include fastcgi.conf;
286 }</code></pre>
287 <pre class="nginx"><code># /etc/nginx/static_assets.conf
288 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
289 expires max;
290 add_header Pragma public;
291 add_header Cache-Control &quot;public, must-revalidate, proxy-revalidate&quot;;
292 }</code></pre>
293 <pre class="nginx"><code># /etc/nginx/nginx.conf
294 [...][](.html)
296 http {
297 [...][](.html)
299 root /home/john/web;
300 access_log /var/log/nginx/access.log;
301 error_log /var/log/nginx/error.log;
303 server {
304 # virtual host for a first domain
305 listen 80;
306 server_name my.first.domain.org;
308 location /shaarli/ {
309 access_log /var/log/nginx/shaarli.access.log;
310 error_log /var/log/nginx/shaarli.error.log;
311 }
313 include deny.conf;
314 include static_assets.conf;
315 include php.conf;
316 }
318 server {
319 # virtual host for a second domain
320 listen 80;
321 server_name second.domain.com;
323 location /minigal/ {
324 access_log /var/log/nginx/minigal.access.log;
325 error_log /var/log/nginx/minigal.error.log;
326 }
328 include deny.conf;
329 include static_assets.conf;
330 include php.conf;
331 }
332 }</code></pre>
333 <h3 id="redirect-http-to-https">Redirect HTTP to HTTPS</h3>
334 <p>Assuming you have generated a (self-signed) key and certificate, and they are located under <code>/home/john/ssl/localhost.{key,crt}</code>, it is pretty straightforward to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.</p>
335 <pre class="nginx"><code># /etc/nginx/nginx.conf
336 [...][](.html)
338 http {
339 [...][](.html)
341 index index.html index.php;
343 root /home/john/web;
344 access_log /var/log/nginx/access.log;
345 error_log /var/log/nginx/error.log;
347 server {
348 listen 80;
349 server_name localhost;
351 return 301 https://localhost$request_uri;
352 }
354 server {
355 listen 443 ssl;
356 server_name localhost;
358 ssl_certificate /home/john/ssl/localhost.crt;
359 ssl_certificate_key /home/john/ssl/localhost.key;
361 location /shaarli/ {
362 access_log /var/log/nginx/shaarli.access.log;
363 error_log /var/log/nginx/shaarli.error.log;
364 }
366 include deny.conf;
367 include static_assets.conf;
368 include php.conf;
369 }
370 }</code></pre>
