2 <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
3 <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
6 <meta http-equiv=
"X-UA-Compatible" content=
"IE=edge">
7 <meta name=
"viewport" content=
"width=device-width, initial-scale=1.0">
10 <link rel=
"shortcut icon" href=
"../img/favicon.ico">
11 <title>Server security - Shaarli Documentation
</title>
12 <link href='https://fonts.googleapis.com/css?family=Lato:
400,
700|Roboto+Slab:
400,
700|Inconsolata:
400,
700' rel='stylesheet' type='text/css'
>
14 <link rel=
"stylesheet" href=
"../css/theme.css" type=
"text/css" />
15 <link rel=
"stylesheet" href=
"../css/theme_extra.css" type=
"text/css" />
16 <link rel=
"stylesheet" href=
"../css/highlight.css">
17 <link href=
"../github-markdown.css" rel=
"stylesheet">
21 var mkdocs_page_name = "Server security";
22 var mkdocs_page_input_path = "Server-security.md";
23 var mkdocs_page_url = "/Server-security/";
26 <script src=
"../js/jquery-2.1.1.min.js"></script>
27 <script src=
"../js/modernizr-2.8.3.min.js"></script>
28 <script type=
"text/javascript" src=
"../js/highlight.pack.js"></script>
32 <body class=
"wy-body-for-nav" role=
"document">
34 <div class=
"wy-grid-for-nav">
37 <nav data-toggle=
"wy-nav-shift" class=
"wy-nav-side stickynav">
38 <div class=
"wy-side-nav-search">
39 <a href=
".." class=
"icon icon-home"> Shaarli Documentation
</a>
41 <form id =
"rtd-search-form" class=
"wy-form" action=
"../search.html" method=
"get">
42 <input type=
"text" name=
"q" placeholder=
"Search docs" />
47 <div class=
"wy-menu wy-menu-vertical" data-spy=
"affix" role=
"navigation" aria-label=
"main navigation">
51 <li class=
"toctree-l1">
53 <a class=
"" href=
"..">Home
</a>
56 <li class=
"toctree-l1">
58 <span class=
"caption-text">Setup
</span>
62 <a class=
"" href=
"../Download-and-Installation/">Download and Installation
</a>
66 <a class=
"" href=
"../Upgrade-and-migration/">Upgrade and migration
</a>
70 <a class=
"" href=
"../Server-requirements/">Server requirements
</a>
74 <a class=
"" href=
"../Server-configuration/">Server configuration
</a>
78 <a class=
"current" href=
"./">Server security
</a>
81 <li class=
"toctree-l3"><a href=
"#phpini">php.ini
</a></li>
85 <li><a class=
"toctree-l4" href=
"#locate-ini-files">Locate .ini files
</a></li>
90 <li class=
"toctree-l3"><a href=
"#fail2ban">fail2ban
</a></li>
94 <li><a class=
"toctree-l4" href=
"#read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs
</a></li>
99 <li class=
"toctree-l3"><a href=
"#robots-restricting-search-engines-and-web-crawler-traffic">Robots - Restricting search engines and web crawler traffic
</a></li>
106 <a class=
"" href=
"../Shaarli-configuration/">Shaarli configuration
</a>
110 <a class=
"" href=
"../Plugins/">Plugins
</a>
115 <li class=
"toctree-l1">
117 <span class=
"caption-text">Docker
</span>
121 <a class=
"" href=
"../docker/docker-101/">Docker
101</a>
125 <a class=
"" href=
"../docker/shaarli-images/">Shaarli images
</a>
129 <a class=
"" href=
"../docker/reverse-proxy-configuration/">Reverse proxy configuration
</a>
133 <a class=
"" href=
"../docker/resources/">Docker resources
</a>
138 <li class=
"toctree-l1">
140 <span class=
"caption-text">Usage
</span>
144 <a class=
"" href=
"../Features/">Features
</a>
148 <a class=
"" href=
"../Bookmarklet/">Bookmarklet
</a>
152 <a class=
"" href=
"../Browsing-and-searching/">Browsing and searching
</a>
156 <a class=
"" href=
"../Firefox-share/">Firefox share
</a>
160 <a class=
"" href=
"../RSS-feeds/">RSS feeds
</a>
164 <a class=
"" href=
"../REST-API/">REST API
</a>
169 <li class=
"toctree-l1">
171 <span class=
"caption-text">How To
</span>
175 <a class=
"" href=
"../Backup,-restore,-import-and-export/">Backup, restore, import and export
</a>
179 <a class=
"" href=
"../Various-hacks/">Various hacks
</a>
184 <li class=
"toctree-l1">
186 <a class=
"" href=
"../Troubleshooting/">Troubleshooting
</a>
189 <li class=
"toctree-l1">
191 <span class=
"caption-text">Development
</span>
195 <a class=
"" href=
"../Development-guidelines/">Development guidelines
</a>
199 <a class=
"" href=
"../Continuous-integration-tools/">Continuous integration tools
</a>
203 <a class=
"" href=
"../GnuPG-signature/">GnuPG signature
</a>
207 <a class=
"" href=
"../Coding-guidelines/">Coding guidelines
</a>
211 <a class=
"" href=
"../Directory-structure/">Directory structure
</a>
215 <a class=
"" href=
"../3rd-party-libraries/">3rd party libraries
</a>
219 <a class=
"" href=
"../Plugin-System/">Plugin System
</a>
223 <a class=
"" href=
"../Release-Shaarli/">Release Shaarli
</a>
227 <a class=
"" href=
"../Versioning-and-Branches/">Versioning and Branches
</a>
231 <a class=
"" href=
"../Security/">Security
</a>
235 <a class=
"" href=
"../Static-analysis/">Static analysis
</a>
239 <a class=
"" href=
"../Theming/">Theming
</a>
243 <a class=
"" href=
"../Unit-tests/">Unit tests
</a>
248 <li class=
"toctree-l1">
250 <span class=
"caption-text">About
</span>
254 <a class=
"" href=
"../FAQ/">FAQ
</a>
258 <a class=
"" href=
"../Community-&-Related-software/">Community & Related software
</a>
268 <section data-toggle=
"wy-nav-shift" class=
"wy-nav-content-wrap">
271 <nav class=
"wy-nav-top" role=
"navigation" aria-label=
"top navigation">
272 <i data-toggle=
"wy-nav-top" class=
"fa fa-bars"></i>
273 <a href=
"..">Shaarli Documentation
</a>
277 <div class=
"wy-nav-content">
278 <div class=
"rst-content">
279 <div role=
"navigation" aria-label=
"breadcrumbs navigation">
280 <ul class=
"wy-breadcrumbs">
281 <li><a href=
"..">Docs
</a> »</li>
285 <li>Setup
»</li>
289 <li>Server security
</li>
290 <li class=
"wy-breadcrumbs-aside">
292 <a href=
"https://github.com/shaarli/Shaarli/edit/master/docs/Server-security.md"
293 class=
"icon icon-github"> Edit on GitHub
</a>
300 <div class=
"section">
302 <h2 id=
"phpini">php.ini
</h2>
303 <p>PHP settings are defined in:
304 - a main configuration file, usually found under
<code>/etc/php5/php.ini
</code>; some distributions provide different configuration environments, e.g.
305 -
<code>/etc/php5/php.ini
</code> - used when running console scripts
306 -
<code>/etc/php5/apache2/php.ini
</code> - used when a client requests PHP resources from Apache
307 -
<code>/etc/php5/php-fpm.conf
</code> - used when PHP requests are proxied to PHP-FPM
308 - additional configuration files/entries, depending on the installed/enabled extensions:
309 -
<code>/etc/php/conf.d/xdebug.ini
</code></p>
310 <h3 id=
"locate-ini-files">Locate .ini files
</h3>
311 <h4 id=
"console-environment">Console environment
</h4>
312 <pre><code class=
"bash">$ php --ini
313 Configuration File (php.ini) Path: /etc/php
314 Loaded Configuration File: /etc/php/php.ini
315 Scan for additional .ini files in: /etc/php/conf.d
316 Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
319 <h4 id=
"server-environment">Server environment
</h4>
321 <li>create a
<code>phpinfo.php
</code> script located in a path supported by the web server, e.g.
<ul>
322 <li>Apache (with user dirs enabled):
<code>/home/myself/public_html/phpinfo.php
</code></li>
323 <li><code>/var/www/test/phpinfo.php
</code></li>
326 <li>make sure the script is readable by the web server user/group (usually,
<code>www
</code>,
<code>www-data
</code> or
<code>httpd
</code>)
</li>
327 <li>access the script from a web browser
</li>
328 <li>look at the
<em>Loaded Configuration File
</em> and
<em>Scan this dir for additional .ini files
</em> entries
</li>
330 <pre><code class=
"php"><?php phpinfo(); ?
>
333 <h2 id=
"fail2ban">fail2ban
</h2>
334 <p><code>fail2ban
</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses
<code>iptables
</code> profiles to block brute-force attempts:
335 -
<a href=
"http://www.fail2ban.org/wiki/index.php/Main_Page">Official website
</a>
336 -
<a href=
"https://github.com/fail2ban/fail2ban">Source code
</a></p>
337 <h3 id=
"read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs
</h3>
338 <p>Example configuration:
339 - allow
3 login attempts per IP address
340 - after
3 failures, permanently ban the corresponding IP adddress
</p>
341 <p><code>/etc/fail2ban/jail.local
</code></p>
342 <pre><code class=
"ini">[shaarli-auth]
345 filter = shaarli-auth
346 logpath = /var/www/path/to/shaarli/data/log.txt
351 <p><code>/etc/fail2ban/filter.d/shaarli-auth.conf
</code></p>
352 <pre><code class=
"ini">[INCLUDES]
355 failregex = \s-\s
<HOST
>\s-\sLogin failed for user.*$
359 <h2 id=
"robots-restricting-search-engines-and-web-crawler-traffic">Robots - Restricting search engines and web crawler traffic
</h2>
360 <p>Creating a
<code>robots.txt
</code> with the following contents at the root of your Shaarli installation will prevent
<em>honest
</em> web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
</p>
361 <pre><code>User-agent: *
366 - http://www.robotstxt.org/
367 - http://www.robotstxt.org/robotstxt.html
368 - http://www.robotstxt.org/meta.html
</p>
374 <div class=
"rst-footer-buttons" role=
"navigation" aria-label=
"footer navigation">
376 <a href=
"../Shaarli-configuration/" class=
"btn btn-neutral float-right" title=
"Shaarli configuration">Next
<span class=
"icon icon-circle-arrow-right"></span></a>
379 <a href=
"../Server-configuration/" class=
"btn btn-neutral" title=
"Server configuration"><span class=
"icon icon-circle-arrow-left"></span> Previous
</a>
386 <div role=
"contentinfo">
387 <!-- Copyright etc -->
391 Built with
<a href=
"http://www.mkdocs.org">MkDocs
</a> using a
<a href=
"https://github.com/snide/sphinx_rtd_theme">theme
</a> provided by
<a href=
"https://readthedocs.org">Read the Docs
</a>.
401 <div class=
"rst-versions" role=
"note" style=
"cursor: pointer">
402 <span class=
"rst-current-version" data-toggle=
"rst-current-version">
404 <a href=
"https://github.com/shaarli/Shaarli" class=
"fa fa-github" style=
"float: left; color: #fcfcfc"> GitHub
</a>
407 <span><a href=
"../Server-configuration/" style=
"color: #fcfcfc;">« Previous
</a></span>
410 <span style=
"margin-left: 15px"><a href=
"../Shaarli-configuration/" style=
"color: #fcfcfc">Next
»</a></span>
414 <script src=
"../js/theme.js"></script>