X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FServer-configuration.md;h=4e74d80bb28d92f4899eda3fda1610967e2bd1a5;hb=2f87bfdc69052cd64e84b1d2b97a0af14991a385;hp=5c45942c35fbebb0efea996324be8d2f15b69c66;hpb=91a21c272960889afd4eaa431a3d29b7785b6efc;p=github%2Fshaarli%2FShaarli.git diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 5c45942c..4e74d80b 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md @@ -1,25 +1,38 @@ # Server configuration - - ## Requirements ### Operating system and web server -Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems. +Shaarli can be hosted on dedicated/virtual servers, or shared hosting. You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts). Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution. +A $5/month VPS (1 CPU, 1 GiB RAM and 25 GiB SSD) will run any Shaarli installation without problems. Some hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [4](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [5](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [6](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc. + + ### Network and domain name Try to host the server in a region that is geographically close to your users. -A domain name ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance. +A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance. + +You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior). + +Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server. + +Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver. + + +### Screencast -You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior). +Here is a screencast of the installation procedure +[![asciicast](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO.svg)](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO) + +-------------------------------------------------------------------------------- ### PHP @@ -27,6 +40,9 @@ Supported PHP versions: Version | Status | Shaarli compatibility :---:|:---:|:---: +8.0 | Supported | Yes +7.4 | Supported | Yes +7.3 | Supported | Yes 7.2 | Supported | Yes 7.1 | Supported | Yes 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x) @@ -39,8 +55,9 @@ Required PHP extensions: Extension | Required? | Usage ---|:---:|--- -[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS +[`openssl`](http://php.net/manual/en/book.openssl.php) | required | OpenSSL, HTTPS [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing +[`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework) [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->è->f`) @@ -49,10 +66,18 @@ Extension | Required? | Usage Some [plugins](Plugins.md) may require additional configuration. +- [PHP: Supported versions](http://php.net/supported-versions.php) +- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php) +- [PHP 7 Changelog](http://php.net/ChangeLog-7.php) +- [PHP 5 Changelog](http://php.net/ChangeLog-5.php) +- [PHP: Bugs](https://bugs.php.net/) + ## SSL/TLS (HTTPS) -We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. +We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) (SSL/[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)) on your webserver for secure communication between clients and the server. + +### Let's Encrypt For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates. @@ -71,8 +96,8 @@ sudo apt install certbot sudo systemctl stop apache2 sudo systemctl stop nginx -# generate initial certificates - Let's Encrypt ACME servers must be able to access your server! -# (DNS records must be correctly pointing to it, firewall/NAT on port 80/443 must be open) +# generate initial certificates +# Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem @@ -81,20 +106,25 @@ sudo systemctl start apache2 sudo systemctl start nginx ``` +On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts. + +### Self-signed + If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli: - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10) +- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) +- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) -------------------------------------------------------------------------------- ## Examples -The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). - -In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`: +The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`: ```bash +# create the document root (replace with your own domain name) sudo mkdir -p /var/www/shaarli.mydomain.org/ ``` @@ -108,7 +138,7 @@ You can install Shaarli at the root of your virtualhost, or in a subdirectory as sudo apt update sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext -# Edit the virtualhost configuration file with your favorite editor +# Edit the virtualhost configuration file with your favorite editor (replace the example domain name) sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ``` @@ -117,37 +147,36 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ServerName shaarli.mydomain.org DocumentRoot /var/www/shaarli.mydomain.org/ - # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. - LogLevel warn - # Log file locations - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - # Redirect HTTP requests to HTTPS + # For SSL/TLS certificates acquired with certbot or self-signed certificates + # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests RewriteEngine on RewriteRule ^.well-known/acme-challenge/ - [L] - # except for Let's Encrypt ACME challenge requests RewriteCond %{HTTP_HOST} =shaarli.mydomain.org RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] +# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md +#MDomain shaarli.mydomain.org +#MDCertificateAgreement accepted +#MDContactEmail admin@shaarli.mydomain.org +#MDPrivateKeys RSA 4096 + ServerName shaarli.mydomain.org DocumentRoot /var/www/shaarli.mydomain.org/ - # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. - LogLevel warn - # Log file locations - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - # SSL/TLS configuration (for Let's Encrypt certificates) + # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone SSLEngine on SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem - Include /etc/letsencrypt/options-ssl-apache.conf - - # SSL/TLS configuration (for self-signed certificates) + # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf + SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + SSLOptions +StrictRequire + + # SSL/TLS configuration for self-signed certificates #SSLEngine on #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key @@ -161,8 +190,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf # Required for .htaccess support AllowOverride All - Order allow,deny - Allow from all + Require all granted @@ -183,7 +211,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ```bash # Enable the virtualhost -sudo a2ensite shaarli +sudo a2ensite shaarli.mydomain.org # mod_ssl must be enabled to use TLS/SSL certificates # https://httpd.apache.org/docs/current/mod/mod_ssl.html @@ -193,21 +221,29 @@ sudo a2enmod ssl # https://httpd.apache.org/docs/current/mod/mod_rewrite.html sudo a2enmod rewrite +# mod_headers must be enabled to set custom headers from the server config +sudo a2enmod headers + # mod_version must only be enabled if you use Apache 2.2 or lower # https://httpd.apache.org/docs/current/mod/mod_version.html # sudo a2enmod version # restart the apache service -systemctl restart apache +sudo systemctl restart apache2 ``` -See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide. +- [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) +- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176) +- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) +- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) +- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/) +- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) +- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers) + ### Nginx -Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) - -You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution. +This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`. ```bash @@ -229,7 +265,10 @@ server { } server { - listen 443 ssl; + # ipv4 listening port/protocol + listen 443 ssl http2; + # ipv6 listening port/protocol + listen [::]:443 ssl http2; server_name shaarli.mydomain.org; root /var/www/shaarli.mydomain.org; @@ -242,6 +281,14 @@ server { ssl_certificate /etc/ssl/shaarli.mydomain.org.crt; ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key; + # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf + ssl_session_cache shared:le_nginx_SSL:10m; + ssl_session_timeout 1440m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers off; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error) client_max_body_size 100m; @@ -278,6 +325,11 @@ server { deny all; } + location ~ /doc/ { + default_type "text/html"; + try_files $uri $uri/ $uri.html =404; + } + location = /favicon.ico { # serve the Shaarli favicon from its custom location alias /var/www/shaarli/images/favicon.ico; @@ -301,12 +353,37 @@ sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enab sudo systemctl reload nginx ``` +- [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) +- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) +- [Nginx documentation](https://nginx.org/en/docs/) +- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) +- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls) +- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/) +- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) + + ## Reverse proxies If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. +## Using Shaarli without URL rewriting + +By default, Shaarli uses Slim framework's URL, which requires +URL rewriting. +If you can't use URL rewriting for any reason (not supported by +your web server, shared hosting, etc.), you *can* use Shaarli +without URL rewriting. + +You just need to prefix your URL by `/index.php/`. +Example: instead of accessing `https://shaarli.mydomain.org/`, +use `https://shaarli.mydomain.org/index.php/`. + +**Recommended:** + * after installation, in the configuration page, set your header link to `/index.php/`. + * in your configuration file `config.json.php` set `general.root_url` to + `https://shaarli.mydomain.org/index.php/`. ## Allow import of large browser bookmarks export @@ -367,7 +444,7 @@ By default Shaarli already disallows indexing of your local copy of the document before = common.conf [Definition] failregex = \s-\s\s-\sLogin failed for user.*$ -ignoreregex = +ignoreregex = ``` ```ini @@ -384,33 +461,9 @@ maxretry = 3 bantime = -1 ``` -#### References +Then restart the service: `sudo systemctl restart fail2ban` -- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176) -- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) -- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) -- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) -- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) -- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls) -- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/) -- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/) -- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) -- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers) -- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) -- [Nginx documentation](https://nginx.org/en/docs/) -- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) -- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) -- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) -- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) -- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) -- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) -- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml) -- [PHP: Supported versions](http://php.net/supported-versions.php) -- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php) -- [PHP 7 Changelog](http://php.net/ChangeLog-7.php) -- [PHP 5 Changelog](http://php.net/ChangeLog-5.php) -- [PHP: Bugs](https://bugs.php.net/) -- [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) -- Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc. +## What next? +[Shaarli installation](Installation.md)