X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FReverse-proxy.md;h=1c55430f2177ee09cb5521e1d005941e4bf0d1f0;hb=f682f1b899641cde2617e6c2185d439b91d4338f;hp=2c1c601e8edadd8587bc69d3348784cbbb6a7f45;hpb=91a21c272960889afd4eaa431a3d29b7785b6efc;p=github%2Fshaarli%2FShaarli.git

diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
index 2c1c601e..1c55430f 100644
--- a/doc/md/Reverse-proxy.md
+++ b/doc/md/Reverse-proxy.md
@@ -17,20 +17,40 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9
 ```apache
 <VirtualHost *:80>
     ServerName shaarli.mydomain.org
-    # Redirect HTTP to HTTPS
-    Redirect permanent / https://shaarli.mydomain.org
+    DocumentRoot /var/www/shaarli.mydomain.org/
+
+    # For SSL/TLS certificates acquired with certbot or self-signed certificates
+    # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
+    RewriteEngine on
+    RewriteRule ^.well-known/acme-challenge/ - [L]
+    RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
+    RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>
 
+# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
+#MDomain shaarli.mydomain.org
+#MDCertificateAgreement accepted
+#MDContactEmail admin@shaarli.mydomain.org
+#MDPrivateKeys RSA 4096
+
 <VirtualHost *:443>
     ServerName shaarli.mydomain.org
 
-    SSLEngine on
-    SSLCertificateFile    /path/to/certificate
-    SSLCertificateKeyFile /path/to/private/key
-
-    LogLevel warn
-    ErrorLog  /var/log/apache2/error.log
-    CustomLog /var/log/apache2/access.log combined
+    # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
+    SSLEngine             on
+    SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
+    # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+    SSLOptions +StrictRequire
+
+    # SSL/TLS configuration for self-signed certificates
+    #SSLEngine             on
+    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
     # let the proxied shaarli server/container know HTTPS URLs should be served
     RequestHeader set X-Forwarded-Proto "https"
@@ -70,6 +90,7 @@ backend shaarli
     server shaarli1 127.0.0.1:10080
 ```
 
+- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
 
 ## Nginx
 
@@ -114,3 +135,8 @@ http {
 }
 ```
 
+## References
+
+- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
+- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
+- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)