5 <meta name=
"generator" content=
"pandoc">
6 <meta name=
"viewport" content=
"width=device-width, initial-scale=1.0, user-scalable=yes">
7 <title>Shaarli – Server security
</title>
8 <style type=
"text/css">code{white-space: pre;}
</style>
9 <style type=
"text/css">
10 div.sourceCode { overflow-x: auto; }
11 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
12 margin:
0; padding:
0; vertical-align: baseline; border: none; }
13 table.sourceCode { width:
100%; line-height:
100%; }
14 td.lineNumbers { text-align: right; padding-right:
4px; padding-left:
4px; color: #aaaaaa; border-right:
1px solid #aaaaaa; }
15 td.sourceCode { padding-left:
5px; }
16 code
> span.kw { color: #
007020; font-weight: bold; } /* Keyword */
17 code
> span.dt { color: #
902000; } /* DataType */
18 code
> span.dv { color: #
40a070; } /* DecVal */
19 code
> span.bn { color: #
40a070; } /* BaseN */
20 code
> span.fl { color: #
40a070; } /* Float */
21 code
> span.ch { color: #
4070a0; } /* Char */
22 code
> span.st { color: #
4070a0; } /* String */
23 code
> span.co { color: #
60a0b0; font-style: italic; } /* Comment */
24 code
> span.ot { color: #
007020; } /* Other */
25 code
> span.al { color: #ff0000; font-weight: bold; } /* Alert */
26 code
> span.fu { color: #
06287e; } /* Function */
27 code
> span.er { color: #ff0000; font-weight: bold; } /* Error */
28 code
> span.wa { color: #
60a0b0; font-weight: bold; font-style: italic; } /* Warning */
29 code
> span.cn { color: #
880000; } /* Constant */
30 code
> span.sc { color: #
4070a0; } /* SpecialChar */
31 code
> span.vs { color: #
4070a0; } /* VerbatimString */
32 code
> span.ss { color: #bb6688; } /* SpecialString */
33 code
> span.im { } /* Import */
34 code
> span.va { color: #
19177c; } /* Variable */
35 code
> span.cf { color: #
007020; font-weight: bold; } /* ControlFlow */
36 code
> span.op { color: #
666666; } /* Operator */
37 code
> span.bu { } /* BuiltIn */
38 code
> span.ex { } /* Extension */
39 code
> span.pp { color: #bc7a00; } /* Preprocessor */
40 code
> span.at { color: #
7d9029; } /* Attribute */
41 code
> span.do { color: #ba2121; font-style: italic; } /* Documentation */
42 code
> span.an { color: #
60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
43 code
> span.cv { color: #
60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
44 code
> span.in { color: #
60a0b0; font-weight: bold; font-style: italic; } /* Information */
46 <link rel=
"stylesheet" href=
"github-markdown.css">
48 <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
52 <div id=
"local-sidebar">
54 <li><a href=
"Home.html">Home
</a></li>
57 <li><a href=
"Download-and-Installation.html">Download and Installation
</a></li>
58 <li><a href=
"Upgrade-and-migration.html">Upgrade and migration
</a></li>
59 <li><a href=
"Server-requirements.html">Server requirements
</a></li>
60 <li><a href=
"Server-configuration.html">Server configuration
</a></li>
61 <li><a href=
"Server-security.html">Server security
</a></li>
62 <li><a href=
"Shaarli-configuration.html">Shaarli configuration
</a></li>
63 <li><a href=
"Plugins.html">Plugins
</a></li>
65 <li><a href=
"Docker.html">Docker
</a></li>
66 <li><a href=
"Usage.html">Usage
</a>
68 <li><a href=
"Sharing-button.html">Sharing button
</a> (bookmarklet)
</li>
69 <li><a href=
"Browsing-and-Searching.html">Browsing and Searching
</a></li>
70 <li><a href=
"Firefox-share.html">Firefox share
</a></li>
71 <li><a href=
"RSS-feeds.html">RSS feeds
</a></li>
72 <li><a href=
"REST-API.html">REST API
</a></li>
76 <li><a href=
"Backup,-restore,-import-and-export.html">Backup, restore, import and export
</a></li>
77 <li><a href=
"Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally
</a></li>
78 <li><a href=
"Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)
</a></li>
79 <li><a href=
"Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list
</a></li>
80 <li><a href=
"Datastore-hacks.html">Datastore hacks
</a></li>
82 <li><a href=
"Troubleshooting.html">Troubleshooting
</a></li>
83 <li><a href=
"Development.html">Development
</a>
85 <li><a href=
"GnuPG-signature.html">GnuPG signature
</a></li>
86 <li><a href=
"Coding-guidelines.html">Coding guidelines
</a></li>
87 <li><a href=
"Directory-structure.html">Directory structure
</a></li>
88 <li><a href=
"3rd-party-libraries.html">3rd party libraries
</a></li>
89 <li><a href=
"Plugin-System.html">Plugin System
</a></li>
90 <li><a href=
"Release-Shaarli.html">Release Shaarli
</a></li>
91 <li><a href=
"Versioning-and-Branches.html">Versioning and Branches
</a></li>
92 <li><a href=
"Security.html">Security
</a></li>
93 <li><a href=
"Static-analysis.html">Static analysis
</a></li>
94 <li><a href=
"Theming.html">Theming
</a></li>
95 <li><a href=
"Unit-tests.html">Unit tests
</a></li>
99 <li><a href=
"FAQ.html">FAQ
</a></li>
100 <li><a href=
"Community-&-Related-software.html">Community
& Related software
</a></li>
104 <h1 id=
"server-security">Server security
</h1>
105 <h2 id=
"php.ini">php.ini
</h2>
106 <p>PHP settings are defined in:
</p>
108 <li>a main configuration file, usually found under
<code>/etc/php5/php.ini
</code>; some distributions provide different configuration environments, e.g.
110 <li><code>/etc/php5/php.ini
</code> - used when running console scripts
</li>
111 <li><code>/etc/php5/apache2/php.ini
</code> - used when a client requests PHP resources from Apache
</li>
112 <li><code>/etc/php5/php-fpm.conf
</code> - used when PHP requests are proxied to PHP-FPM
</li>
114 <li>additional configuration files/entries, depending on the installed/enabled extensions:
116 <li><code>/etc/php/conf.d/xdebug.ini
</code></li>
119 <h3 id=
"locate-.ini-files">Locate .ini files
</h3>
120 <h4 id=
"console-environment">Console environment
</h4>
121 <div class=
"sourceCode"><pre class=
"sourceCode bash"><code class=
"sourceCode bash">$
<span class=
"ex">php
</span> --ini
122 <span class=
"ex">Configuration
</span> File (php.ini)
<span class=
"ex">Path
</span>: /etc/php
123 <span class=
"ex">Loaded
</span> Configuration File: /etc/php/php.ini
124 <span class=
"ex">Scan
</span> for additional .ini files in: /etc/php/conf.d
125 <span class=
"ex">Additional
</span> .ini files parsed: /etc/php/conf.d/xdebug.ini
</code></pre></div>
126 <h4 id=
"server-environment">Server environment
</h4>
128 <li>create a
<code>phpinfo.php
</code> script located in a path supported by the web server, e.g.
130 <li>Apache (with user dirs enabled):
<code>/home/myself/public_html/phpinfo.php
</code></li>
131 <li><code>/var/www/test/phpinfo.php
</code></li>
133 <li>make sure the script is readable by the web server user/group (usually,
<code>www
</code>,
<code>www-data
</code> or
<code>httpd
</code>)
</li>
134 <li>access the script from a web browser
</li>
135 <li><p>look at the
<em>Loaded Configuration File
</em> and
<em>Scan this dir for additional .ini files
</em> entries
</p>
136 <div class=
"sourceCode"><pre class=
"sourceCode php"><code class=
"sourceCode php"><span class=
"kw"><?php
</span> <span class=
"fu">phpinfo
</span><span class=
"ot">();
</span> <span class=
"kw">?
></span></code></pre></div></li>
138 <h2 id=
"fail2ban">fail2ban
</h2>
139 <p><code>fail2ban
</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses
<code>iptables
</code> profiles to block brute-force attempts:
</p>
141 <li><a href=
"http://www.fail2ban.org/wiki/index.php/Main_Page">Official website
</a><a href=
".html"></a></li>
142 <li><a href=
"https://github.com/fail2ban/fail2ban">Source code
</a><a href=
".html"></a></li>
144 <h3 id=
"read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs
</h3>
145 <p>Example configuration:
</p>
147 <li>allow
3 login attempts per IP address
</li>
148 <li>after
3 failures, permanently ban the corresponding IP adddress
</li>
150 <p><code>/etc/fail2ban/jail.local
</code></p>
151 <div class=
"sourceCode"><pre class=
"sourceCode ini"><code class=
"sourceCode ini"><span class=
"kw">[shaarli-auth][]
</span><span class=
"dt">(.html)
</span>
152 <span class=
"dt">enabled
</span><span class=
"ot">=
</span><span class=
"st"> </span><span class=
"kw">true
</span>
153 <span class=
"dt">port
</span><span class=
"ot">=
</span><span class=
"st"> https,http
</span>
154 <span class=
"dt">filter
</span><span class=
"ot">=
</span><span class=
"st"> shaarli-auth
</span>
155 <span class=
"dt">logpath
</span><span class=
"ot">=
</span><span class=
"st"> /var/www/path/to/shaarli/data/log.txt
</span>
156 <span class=
"dt">maxretry
</span><span class=
"ot">=
</span><span class=
"st"> </span><span class=
"dv">3</span>
157 <span class=
"dt">bantime
</span><span class=
"ot">=
</span><span class=
"st"> -
</span><span class=
"dv">1</span></code></pre></div>
158 <p><code>/etc/fail2ban/filter.d/shaarli-auth.conf
</code></p>
159 <div class=
"sourceCode"><pre class=
"sourceCode ini"><code class=
"sourceCode ini"><span class=
"kw">[INCLUDES][]
</span><span class=
"dt">(.html)
</span>
160 <span class=
"dt">before
</span><span class=
"ot">=
</span><span class=
"st"> common.conf
</span>
161 <span class=
"kw">[Definition][]
</span><span class=
"dt">(.html)
</span>
162 <span class=
"dt">failregex
</span><span class=
"ot">=
</span><span class=
"st"> \s-\s
<HOST
>\s-\sLogin failed for user.*$
</span>
163 <span class=
"dt">ignoreregex
</span><span class=
"ot">=
</span><span class=
"st"> </span></code></pre></div>
164 <h2 id=
"robots---restricting-search-engines-and-web-crawler-traffic">Robots - Restricting search engines and web crawler traffic
</h2>
165 <p>Creating a
<code>robots.txt
</code> with the following contents at the root of your Shaarli installation will prevent
<em>honest
</em> web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
</p>
166 <pre><code>User-agent: *
167 Disallow: /
</code></pre>
170 <li><a href=
"http://www.robotstxt.org/" class=
"uri">http://www.robotstxt.org/
</a></li>
171 <li><a href=
"http://www.robotstxt.org/robotstxt.html" class=
"uri">http://www.robotstxt.org/robotstxt.html
</a></li>
172 <li><a href=
"http://www.robotstxt.org/meta.html" class=
"uri">http://www.robotstxt.org/meta.html
</a></li>