X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2FServer-configuration.md;h=1ab57a0a34a977f8cdeb18d7ed8882c882c4dc2b;hb=fdf88d194874a533cf3a8de3d317d70018aa8a62;hp=c9ec4e137861839ae8415d5ec16817ec2440683a;hpb=992af0b9d77cb4fbac2c37ef8d5896042d67a2a3;p=github%2Fshaarli%2FShaarli.git diff --git a/doc/Server-configuration.md b/doc/Server-configuration.md index c9ec4e13..1ab57a0a 100644 --- a/doc/Server-configuration.md +++ b/doc/Server-configuration.md @@ -2,19 +2,29 @@ *Example virtual host configurations for popular web servers* - [Apache](#apache)[](.html) -- [LightHttpd](#lighthttpd) (empty)[](.html) - [Nginx](#nginx)[](.html) ## Prerequisites +### Shaarli * Shaarli is installed in a directory readable/writeable by the user * the correct read/write permissions have been granted to the web server _user and/or group_ * for HTTPS / SSL: * a key pair (public, private) and a certificate have been generated * the appropriate server SSL extension is installed and active +### HTTPS, TLS and self-signed certificates Related guides: * [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)[](.html) * [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)[](.html) +* Generate a self-signed certificate (will trigger browser warnings) with apache2: `make-ssl-cert generate-default-snakeoil --force-overwrite` will create `/etc/ssl/certs/ssl-cert-snakeoil.pem` and `/etc/ssl/private/ssl-cert-snakeoil.key` + +### Proxies +If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set: +- `X-Forwarded-Proto`; +- `X-Forwarded-Host`; +- `X-Forwarded-For`. + +See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.[](.html) ## Apache ### Minimal @@ -29,7 +39,7 @@ This configuration will log both Apache and PHP errors, which may prove useful t See: * [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow)[](.html) -* [PHP: php_value vs php_admin_value and the use of php_flag explained](PHP: php_value vs php_admin_value and the use of php_flag explained)[](.html) +* [PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)[](.html) ```apache @@ -68,7 +78,7 @@ See [Server-side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) DocumentRoot /absolute/path/to/shaarli/ SSLEngine on - SSLCertificateFile /absolute/path/to/the/website/certificate.crt + SSLCertificateFile /absolute/path/to/the/website/certificate.pem SSLCertificateKeyFile /absolute/path/to/the/website/key.key @@ -219,11 +229,16 @@ location ~ ~$ { ```nginx # /etc/nginx/php.conf location ~ (index)\.php$ { - # proxy PHP requests to PHP-FPM + # filter and proxy PHP requests to PHP-FPM fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; include fastcgi.conf; } + +location ~ \.php$ { + # deny access to all other PHP scripts + deny all; +} ``` ```nginx