X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FReverse-proxy.md;h=b7e347d5d19aae00cf37f9a59182cc06d6b50a9a;hb=820cae27cfcc94af552818f3f1e5342e00478f6c;hp=77e4a04d7e12f11da847d0419b65e601ab57a5a5;hpb=02117f7ea35d719351a99cd4f1c339b2ad4ef266;p=github%2Fshaarli%2FShaarli.git
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
index 77e4a04d..b7e347d5 100644
--- a/doc/md/Reverse-proxy.md
+++ b/doc/md/Reverse-proxy.md
@@ -17,25 +17,39 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9
```apache
ServerName shaarli.mydomain.org
- DocumentRoot /var/www/shaarli.mydomain.org/
+ # For SSL/TLS certificates acquired with certbot or self-signed certificates
# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
RewriteEngine on
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
- # If you are using mod_md, use this instead
- #MDCertificateAgreement accepted
- #MDContactEmail admin@shaarli.mydomain.org
- #MDPrivateKeys RSA 4096
+# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
+#MDomain shaarli.mydomain.org
+#MDCertificateAgreement accepted
+#MDContactEmail admin@shaarli.mydomain.org
+#MDPrivateKeys RSA 4096
+
ServerName shaarli.mydomain.org
- SSLEngine on
- SSLCertificateFile /path/to/certificate
- SSLCertificateKeyFile /path/to/private/key
+ # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
+ # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+ SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+ SSLOptions +StrictRequire
+
+ # SSL/TLS configuration for self-signed certificates
+ #SSLEngine on
+ #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# let the proxied shaarli server/container know HTTPS URLs should be served
RequestHeader set X-Forwarded-Proto "https"
@@ -75,6 +89,7 @@ backend shaarli
server shaarli1 127.0.0.1:10080
```
+- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
## Nginx
@@ -119,3 +134,8 @@ http {
}
```
+## References
+
+- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
+- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
+- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)