We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
+### Let's Encrypt
+
For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
- [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
sudo systemctl stop apache2
sudo systemctl stop nginx
-# generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
+# generate initial certificates
+# Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
# this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
sudo systemctl start nginx
```
+On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts.
+
+### Self-signed
+
If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
## Examples
-The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
-
-In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
+The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
```bash
+# create the document root
sudo mkdir -p /var/www/shaarli.mydomain.org/
```
ServerName shaarli.mydomain.org
DocumentRoot /var/www/shaarli.mydomain.org/
- # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
- LogLevel warn
- # Log file locations
- ErrorLog /var/log/apache2/error.log
- CustomLog /var/log/apache2/access.log combined
-
- # Redirect HTTP requests to HTTPS
+ # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
RewriteEngine on
RewriteRule ^.well-known/acme-challenge/ - [L]
- # except for Let's Encrypt ACME challenge requests
RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
+ # If you are using mod_md, use this instead
+ #MDCertificateAgreement accepted
+ #MDContactEmail admin@shaarli.mydomain.org
+ #MDPrivateKeys RSA 4096
</VirtualHost>
<VirtualHost *:443>
ServerName shaarli.mydomain.org
DocumentRoot /var/www/shaarli.mydomain.org/
- # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
- LogLevel warn
- # Log file locations
- ErrorLog /var/log/apache2/error.log
- CustomLog /var/log/apache2/access.log combined
-
- # SSL/TLS configuration (for Let's Encrypt certificates)
+ # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
-
# Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLSessionTickets off
SSLOptions +StrictRequire
+ # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md
+ #MDomain shaarli.mydomain.org
+
# SSL/TLS configuration (for self-signed certificates)
#SSLEngine on
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
<Directory /var/www/shaarli.mydomain.org/>
# Required for .htaccess support
AllowOverride All
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
<LocationMatch "/\.">
See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
+
### Nginx
This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
projects / github / shaarli / Shaarli.git / blobdiff