]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/Server-configuration.html
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #340 from virtualtam/doc/update
[github/shaarli/Shaarli.git] / doc / Server-configuration.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta charset="utf-8">
5 <meta name="generator" content="pandoc">
6 <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
7 <title>Shaarli - Server configuration</title>
8 <style type="text/css">code{white-space: pre;}</style>
9 <!--[if lt IE 9]>
10 <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
11 <![endif]-->
12 <style type="text/css">
13 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
14 margin: 0; padding: 0; vertical-align: baseline; border: none; }
15 table.sourceCode { width: 100%; line-height: 100%; }
16 td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
17 td.sourceCode { padding-left: 5px; }
18 code > span.kw { color: #007020; font-weight: bold; }
19 code > span.dt { color: #902000; }
20 code > span.dv { color: #40a070; }
21 code > span.bn { color: #40a070; }
22 code > span.fl { color: #40a070; }
23 code > span.ch { color: #4070a0; }
24 code > span.st { color: #4070a0; }
25 code > span.co { color: #60a0b0; font-style: italic; }
26 code > span.ot { color: #007020; }
27 code > span.al { color: #ff0000; font-weight: bold; }
28 code > span.fu { color: #06287e; }
29 code > span.er { color: #ff0000; font-weight: bold; }
30 </style>
31 <link rel="stylesheet" href="github-markdown.css">
32 </head>
33 <body>
34 <div id="local-sidebar">
35 <ul>
36 <li><a href="Home.html">Home</a></li>
37 <li>Installation
38 <ul>
39 <li><a href="Download.html">Download</a></li>
40 <li><a href="Server-requirements.html">Server requirements</a></li>
41 <li><a href="Server-configuration.html">Server configuration</a></li>
42 <li><a href="Shaarli-configuration.html">Shaarli configuration</a></li>
43 </ul></li>
44 <li><a href="Usage.html">Usage</a>
45 <ul>
46 <li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li>
47 <li><a href="Firefox-share.html">Firefox share</a></li>
48 <li><a href="RSS-feeds.html">RSS feeds</a></li>
49 </ul></li>
50 <li>How To
51 <ul>
52 <li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li>
53 <li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li>
54 <li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li>
55 <li><a href="Datastore-hacks.html">Datastore hacks</a></li>
56 </ul></li>
57 <li><a href="Troubleshooting.html">Troubleshooting</a></li>
58 <li><a href="Development.html">Development</a>
59 <ul>
60 <li><a href="GnuPG-signature.html">GnuPG signature</a></li>
61 <li><a href="Coding-guidelines.html">Coding guidelines</a></li>
62 <li><a href="Directory-structure.html">Directory structure</a></li>
63 <li><a href="3rd-party-libraries.html">3rd party libraries</a></li>
64 <li><a href="Plugin-System.html">Plugin System</a></li>
65 <li><a href="Security.html">Security</a></li>
66 <li><a href="Static-analysis.html">Static analysis</a></li>
67 <li><a href="Theming.html">Theming</a></li>
68 <li><a href="Unit-tests.html">Unit tests</a></li>
69 </ul></li>
70 <li>About
71 <ul>
72 <li><a href="FAQ.html">FAQ</a></li>
73 <li><a href="Community-&amp;-Related-software.html">Community &amp; Related software</a></li>
74 <li><a href="TODO.html">TODO</a></li>
75 </ul></li>
76 </ul>
77 </div>
78 <h1 id="server-configuration">Server configuration</h1>
79 <p><em>Example virtual host configurations for popular web servers</em></p>
80 <ul>
81 <li><a href="#apache">Apache</a><a href=".html"></a></li>
82 <li><a href="#lighthttpd">LightHttpd</a> (empty)<a href=".html"></a></li>
83 <li><a href="#nginx">Nginx</a><a href=".html"></a></li>
84 </ul>
85 <h2 id="prerequisites">Prerequisites</h2>
86 <ul>
87 <li>Shaarli is installed in a directory readable/writeable by the user</li>
88 <li>the correct read/write permissions have been granted to the web server <em>user and/or group</em></li>
89 <li>for HTTPS / SSL:</li>
90 <li>a key pair (public, private) and a certificate have been generated</li>
91 <li>the appropriate server SSL extension is installed and active</li>
92 </ul>
93 <p>Related guides:</p>
94 <ul>
95 <li><a href="http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php">How to Create Self-Signed SSL Certificates with OpenSSL</a><a href=".html"></a></li>
96 <li><a href="https://workaround.org/certificate-authority">How do I create my own Certificate Authority?</a><a href=".html"></a></li>
97 </ul>
98 <h2 id="apache">Apache</h2>
99 <h3 id="minimal">Minimal</h3>
100 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
101 ServerName<span class="st"> shaarli.my-domain.org</span>
102 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
103 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
104 <h3 id="debug---log-all-the-things">Debug - Log all the things!</h3>
105 <p>This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.</p>
106 <p>See:</p>
107 <ul>
108 <li><a href="http://stackoverflow.com/q/176">Apache/PHP - error log per VirtualHost</a> (StackOverflow)<a href=".html"></a></li>
109 <li><a href="PHP:%20php_value%20vs%20php_admin_value%20and%20the%20use%20of%20php_flag%20explained">PHP: php_value vs php_admin_value and the use of php_flag explained</a><a href=".html"></a></li>
110 </ul>
111 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
112 ServerName<span class="st"> shaarli.my-domain.org</span>
113 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
114
115 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
116 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
117 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
118
119 php_flag log_errors on
120 php_flag display_errors on
121 php_value error_reporting 2147483647
122 php_value error_log /var/log/apache2/shaarli-php-error.log
123 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
124 <h3 id="standard---keep-access-and-error-logs">Standard - Keep access and error logs</h3>
125 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
126 ServerName<span class="st"> shaarli.my-domain.org</span>
127 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
128
129 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
130 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
131 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
132 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
133 <h3 id="paranoid---redirect-http-80-to-https-443">Paranoid - Redirect HTTP (:80) to HTTPS (:443)</h3>
134 <p>See <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">Server-side TLS</a> (Mozilla).<a href=".html"></a></p>
135 <pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:443</span><span class="fu">&gt;</span>
136 ServerName<span class="st"> shaarli.my-domain.org</span>
137 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
138
139 <span class="ot">SSLEngine</span><span class="ch"> </span><span class="kw">on</span>
140 SSLCertificateFile<span class="st"> /absolute/path/to/the/website/certificate.crt</span>
141 SSLCertificateKeyFile<span class="st"> /absolute/path/to/the/website/key.key</span>
142
143 <span class="fu">&lt;Directory</span><span class="ot"> /absolute/path/to/shaarli/</span><span class="fu">&gt;</span>
144 <span class="ot">AllowOverride</span><span class="ch"> </span><span class="kw">All</span>
145 <span class="ot">Options</span><span class="ch"> </span><span class="kw">Indexes</span><span class="ch"> </span><span class="kw">FollowSymLinks</span><span class="ch"> </span><span class="kw">MultiViews</span>
146 <span class="ot">Order</span><span class="ch"> </span><span class="kw">allow,deny</span>
147 allow<span class="st"> from all</span>
148 <span class="fu">&lt;/Directory&gt;</span>
149
150 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
151 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
152 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
153 <span class="fu">&lt;/VirtualHost&gt;</span>
154 <span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
155 ServerName<span class="st"> shaarli.my-domain.org</span>
156 Redirect<span class="st"> 301 / https://shaarli.my-domain.org</span>
157
158 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
159 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
160 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
161 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
162 <h2 id="lighthttpd">LightHttpd</h2>
163 <h2 id="nginx">Nginx</h2>
164 <h3 id="foreword">Foreword</h3>
165 <p>Nginx does not natively interpret PHP scripts; to this effect, we will run a <a href="https://en.wikipedia.org/wiki/FastCGI">FastCGI</a> service, to which Nginx's FastCGI module will proxy all requests to PHP resources.<a href=".html"></a></p>
166 <p>Required packages:</p>
167 <ul>
168 <li><a href="http://nginx.org">nginx</a><a href=".html"></a></li>
169 <li><a href="http://php-fpm.org">php-fpm</a> - PHP FastCGI Process Manager<a href=".html"></a></li>
170 </ul>
171 <p>Official documentation:</p>
172 <ul>
173 <li><a href="http://nginx.org/en/docs/beginners_guide.html">Beginner's guide</a><a href=".html"></a></li>
174 <li><a href="http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html">ngx_http_fastcgi_module</a><a href=".html"></a></li>
175 <li><a href="http://wiki.nginx.org/Pitfalls">Pitfalls</a><a href=".html"></a></li>
176 </ul>
177 <p>Community resources:</p>
178 <ul>
179 <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx">Server-side TLS (Nginx)</a> (Mozilla)<a href=".html"></a></li>
180 <li><a href="http://kbeezie.com/nginx-configuration-examples/">PHP configuration examples</a> (Karl Blessing)<a href=".html"></a></li>
181 </ul>
182 <h3 id="common-setup">Common setup</h3>
183 <p>Once Nginx and PHP-FPM are installed, we need to ensure:</p>
184 <ul>
185 <li>Nginx and PHP-FPM are running using the <em>same user and group</em></li>
186 <li>both these user and group have
187 <ul>
188 <li><code>read</code> permissions for Shaarli resources</li>
189 <li><code>execute</code> permissions for Shaarli directories <em>AND</em> their parent directories</li>
190 </ul></li>
191 </ul>
192 <p>On a production server:</p>
193 <ul>
194 <li><code>user:group</code> will likely be <code>http:http</code>, <code>www:www</code> or <code>www-data:www-data</code></li>
195 <li>files will be located under <code>/var/www</code>, <code>/var/http</code> or <code>/usr/share/nginx</code></li>
196 </ul>
197 <p>On a development server:</p>
198 <ul>
199 <li>files may be located in a user's home directory</li>
200 <li>in this case, make sure both Nginx and PHP-FPM are running as the local user/group!</li>
201 </ul>
202 <p>For all following examples, a development configuration will be used:</p>
203 <ul>
204 <li><code>user:group = john:users</code>,</li>
205 </ul>
206 <p>which corresponds to the following service configuration:</p>
207 <pre class="sourceCode ini"><code class="sourceCode ini"><span class="co">; /etc/php/php-fpm.conf</span>
208 <span class="dt">user </span><span class="ot">=</span><span class="st"> john</span>
209 <span class="dt">group </span><span class="ot">=</span><span class="st"> users</span>
210
211 <span class="kw">[...][]</span><span class="dt">(.html)</span>
212 <span class="dt">listen.owner </span><span class="ot">=</span><span class="st"> john</span>
213 <span class="dt">listen.group </span><span class="ot">=</span><span class="st"> users</span></code></pre>
214 <pre class="nginx"><code># /etc/nginx/nginx.conf
215 user john users;
216
217 http {
218 [...][](.html)
219 }</code></pre>
220 <h3 id="minimal-1">Minimal</h3>
221 <p><em>WARNING: Use for development only!</em></p>
222 <pre class="nginx"><code>user john users;
223 worker_processes 1;
224 events {
225 worker_connections 1024;
226 }
227
228 http {
229 include mime.types;
230 default_type application/octet-stream;
231 keepalive_timeout 20;
232
233 index index.html index.php;
234
235 server {
236 listen 80;
237 server_name localhost;
238 root /home/john/web;
239
240 access_log /var/log/nginx/access.log;
241 error_log /var/log/nginx/error.log;
242
243 location /shaarli/ {
244 access_log /var/log/nginx/shaarli.access.log;
245 error_log /var/log/nginx/shaarli.error.log;
246 }
247
248 location ~ (index)\.php$ {
249 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
250 fastcgi_index index.php;
251 include fastcgi.conf;
252 }
253 }
254 }</code></pre>
255 <h3 id="modular">Modular</h3>
256 <p>The previous setup is sufficient for development purposes, but has several major caveats:</p>
257 <ul>
258 <li>every content that does not match the PHP rule will be sent to client browsers:
259 <ul>
260 <li>dotfiles - in our case, <code>.htaccess</code></li>
261 <li>temporary files, e.g. Vim or Emacs files: <code>index.php~</code></li>
262 </ul></li>
263 <li>asset / static resource caching is not optimized</li>
264 <li>if serving several PHP sites, there will be a lot of duplication: <code>location /shaarli/</code>, <code>location /mysite/</code>, etc.</li>
265 </ul>
266 <p>To solve this, we will split Nginx configuration in several parts, that will be included when needed:</p>
267 <pre class="nginx"><code># /etc/nginx/deny.conf
268 location ~ /\. {
269 # deny access to dotfiles
270 access_log off;
271 log_not_found off;
272 deny all;
273 }
274
275 location ~ ~$ {
276 # deny access to temp editor files, e.g. &quot;script.php~&quot;
277 access_log off;
278 log_not_found off;
279 deny all;
280 }</code></pre>
281 <pre class="nginx"><code># /etc/nginx/php.conf
282 location ~ (index)\.php$ {
283 # filter and proxy PHP requests to PHP-FPM
284 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
285 fastcgi_index index.php;
286 include fastcgi.conf;
287 }
288
289 location ~ \.php$ {
290 # deny access to all other PHP scripts
291 deny all;
292 }</code></pre>
293 <pre class="nginx"><code># /etc/nginx/static_assets.conf
294 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
295 expires max;
296 add_header Pragma public;
297 add_header Cache-Control &quot;public, must-revalidate, proxy-revalidate&quot;;
298 }</code></pre>
299 <pre class="nginx"><code># /etc/nginx/nginx.conf
300 [...][](.html)
301
302 http {
303 [...][](.html)
304
305 root /home/john/web;
306 access_log /var/log/nginx/access.log;
307 error_log /var/log/nginx/error.log;
308
309 server {
310 # virtual host for a first domain
311 listen 80;
312 server_name my.first.domain.org;
313
314 location /shaarli/ {
315 access_log /var/log/nginx/shaarli.access.log;
316 error_log /var/log/nginx/shaarli.error.log;
317 }
318
319 include deny.conf;
320 include static_assets.conf;
321 include php.conf;
322 }
323
324 server {
325 # virtual host for a second domain
326 listen 80;
327 server_name second.domain.com;
328
329 location /minigal/ {
330 access_log /var/log/nginx/minigal.access.log;
331 error_log /var/log/nginx/minigal.error.log;
332 }
333
334 include deny.conf;
335 include static_assets.conf;
336 include php.conf;
337 }
338 }</code></pre>
339 <h3 id="redirect-http-to-https">Redirect HTTP to HTTPS</h3>
340 <p>Assuming you have generated a (self-signed) key and certificate, and they are located under <code>/home/john/ssl/localhost.{key,crt}</code>, it is pretty straightforward to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.</p>
341 <pre class="nginx"><code># /etc/nginx/nginx.conf
342 [...][](.html)
343
344 http {
345 [...][](.html)
346
347 index index.html index.php;
348
349 root /home/john/web;
350 access_log /var/log/nginx/access.log;
351 error_log /var/log/nginx/error.log;
352
353 server {
354 listen 80;
355 server_name localhost;
356
357 return 301 https://localhost$request_uri;
358 }
359
360 server {
361 listen 443 ssl;
362 server_name localhost;
363
364 ssl_certificate /home/john/ssl/localhost.crt;
365 ssl_certificate_key /home/john/ssl/localhost.key;
366
367 location /shaarli/ {
368 access_log /var/log/nginx/shaarli.access.log;
369 error_log /var/log/nginx/shaarli.error.log;
370 }
371
372 include deny.conf;
373 include static_assets.conf;
374 include php.conf;
375 }
376 }</code></pre>
377 </body>
378 </html>
The personal, minimalist, super-fast, database free, bookmarking service - community repo