]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/Server-security.md
Merge pull request #679 from ArthurHoaro/plugins/header
[github/shaarli/Shaarli.git] / doc / Server-security.md
1 #Server security
2 ## php.ini
3 PHP settings are defined in:
4 - a main configuration file, usually found under `/etc/php5/php.ini`; some distributions provide different configuration environments, e.g.
5 - `/etc/php5/php.ini` - used when running console scripts
6 - `/etc/php5/apache2/php.ini` - used when a client requests PHP resources from Apache
7 - `/etc/php5/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
8 - additional configuration files/entries, depending on the installed/enabled extensions:
9 - `/etc/php/conf.d/xdebug.ini`
10
11 ### Locate .ini files
12 #### Console environment
13 ```bash
14 $ php --ini
15 Configuration File (php.ini) Path: /etc/php
16 Loaded Configuration File: /etc/php/php.ini
17 Scan for additional .ini files in: /etc/php/conf.d
18 Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
19 ```
20
21 #### Server environment
22 - create a `phpinfo.php` script located in a path supported by the web server, e.g.
23 - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
24 - `/var/www/test/phpinfo.php`
25 - make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
26 - access the script from a web browser
27 - look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
28 ```php
29 <?php phpinfo(); ?>
30 ```
31
32 ## fail2ban
33 `fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
34 - [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)[](.html)
35 - [Source code](https://github.com/fail2ban/fail2ban)[](.html)
36
37 ### Read Shaarli logs to ban IPs
38 Example configuration:
39 - allow 3 login attempts per IP address
40 - after 3 failures, permanently ban the corresponding IP adddress
41
42 `/etc/fail2ban/jail.local`
43 ```ini
44 [shaarli-auth][](.html)
45 enabled = true
46 port = https,http
47 filter = shaarli-auth
48 logpath = /var/www/path/to/shaarli/data/log.txt
49 maxretry = 3
50 bantime = -1
51 ```
52
53 `/etc/fail2ban/filter.d/shaarli-auth.conf`
54 ```ini
55 [INCLUDES][](.html)
56 before = common.conf
57 [Definition][](.html)
58 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
59 ignoreregex =
60 ```
61
62 ## Robots - Restricting search engines and web crawler traffic
63
64 Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
65
66 ```
67 User-agent: *
68 Disallow: /
69 ```
70
71 See:
72 - http://www.robotstxt.org/
73 - http://www.robotstxt.org/robotstxt.html
74 - http://www.robotstxt.org/meta.html