X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FServer-configuration.md;h=89398b44423aa813d0cf93813224cf3a3d173d80;hb=5eece37b0aaa8563d6fdde394b2e828bec61b6f5;hp=f14be7f38b89e4ea449eaf10be1f22c95442e50d;hpb=e0fe33f90ba0bfedc50ba79982833e10c7e6c4a4;p=github%2Fshaarli%2FShaarli.git diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index f14be7f3..89398b44 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md @@ -1,7 +1,5 @@ # Server configuration - - ## Requirements ### Operating system and web server @@ -25,6 +23,14 @@ Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/commu Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver. +### Screencast + +Here is a screencast of the installation procedure + +[![asciicast](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO.svg)](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO) + +-------------------------------------------------------------------------------- + ### PHP Supported PHP versions: @@ -60,6 +66,8 @@ Some [plugins](Plugins.md) may require additional configuration. We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. +### Let's Encrypt + For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates. - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10) @@ -87,6 +95,10 @@ sudo systemctl start apache2 sudo systemctl start nginx ``` +On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts. + +### Self-signed + If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli: - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) @@ -96,11 +108,10 @@ If you don't want to rely on a certificate authority, or the server can only be ## Examples -The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). - -In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`: +The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`: ```bash +# create the document root (replace with your own domain name) sudo mkdir -p /var/www/shaarli.mydomain.org/ ``` @@ -114,7 +125,7 @@ You can install Shaarli at the root of your virtualhost, or in a subdirectory as sudo apt update sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext -# Edit the virtualhost configuration file with your favorite editor +# Edit the virtualhost configuration file with your favorite editor (replace the example domain name) sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ``` @@ -123,35 +134,25 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ServerName shaarli.mydomain.org DocumentRoot /var/www/shaarli.mydomain.org/ - # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. - LogLevel warn - # Log file locations - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - # Redirect HTTP requests to HTTPS + # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests RewriteEngine on RewriteRule ^.well-known/acme-challenge/ - [L] - # except for Let's Encrypt ACME challenge requests RewriteCond %{HTTP_HOST} =shaarli.mydomain.org RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] + # If you are using mod_md, use this instead + #MDCertificateAgreement accepted + #MDContactEmail admin@shaarli.mydomain.org + #MDPrivateKeys RSA 4096 ServerName shaarli.mydomain.org DocumentRoot /var/www/shaarli.mydomain.org/ - # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. - LogLevel warn - # Log file locations - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - # SSL/TLS configuration (for Let's Encrypt certificates) + # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone SSLEngine on SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem - # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 @@ -159,6 +160,9 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf SSLSessionTickets off SSLOptions +StrictRequire + # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md + #MDomain shaarli.mydomain.org + # SSL/TLS configuration (for self-signed certificates) #SSLEngine on #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem @@ -173,8 +177,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf # Required for .htaccess support AllowOverride All - Order allow,deny - Allow from all + Require all granted @@ -195,7 +198,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf ```bash # Enable the virtualhost -sudo a2ensite shaarli +sudo a2ensite shaarli.mydomain.org # mod_ssl must be enabled to use TLS/SSL certificates # https://httpd.apache.org/docs/current/mod/mod_ssl.html @@ -215,6 +218,7 @@ systemctl restart apache See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide. + ### Nginx This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`. @@ -404,6 +408,8 @@ maxretry = 3 bantime = -1 ``` +Then restart the service: `sudo systemctl restart fail2ban` + #### References - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)