+### SSL/TLS configuration
+
+To setup HTTPS / SSL on your webserver (recommended), you must generate a public/private **key pair** and a **certificate**, and install, configure and activate the appropriate **webserver SSL extension**.
+
+#### Let's Encrypt
+
+[Let's Encrypt](https://en.wikipedia.org/wiki/Let%27s_Encrypt) is a certificate authority that provides free TLS/X.509 certificates via an automated process.
+
+ * Install `certbot` using the appropriate method described on https://certbot.eff.org/.
+
+Location of the `certbot` program and template configuration files may vary depending on which installation method was used. Change the file paths below accordingly. Here is an easy way to create a signed certificate using `certbot`, it assumes `certbot` was installed through APT on a Debian-based distribution:
+
+ * Stop the apache2/nginx service.
+ * Run `certbot --agree-tos --standalone --preferred-challenges tls-sni --email "youremail@example.com" --domain yourdomain.example.com`
+ * For the Apache webserver, copy `/usr/lib/python2.7/dist-packages/certbot_apache/options-ssl-apache.conf` to `/etc/letsencrypt/options-ssl-apache.conf` (paths may vary depending on installation method)
+ * For Nginx: TODO
+ * Setup your webserver as described below
+ * Restart the apache2/nginx service.
+
+#### Self-signed certificates
+
+If you don't want to request a certificate from Let's Encrypt, or are unable to (for example, webserver on a LAN, or domain name not registered in the public DNS system), you can generate a self-signed certificate. This certificate will trigger security warnings in web browsers, unless you add it to the browser's SSL store manually.
+
+* Apache: run `make-ssl-cert generate-default-snakeoil --force-overwrite`
+* Nginx: TODO
+
+--------------------------------------------------------------------------------
+
+## Apache
+
+Here is a basic configuration example for the Apache web server with `mod_php`.
+
+In `/etc/apache2/sites-available/shaarli.conf`: