X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=doc%2Fmd%2FServer-configuration.md;h=c22b7d9c5958ce961b12d08957a4144be7a6ea7b;hb=ecdae2237f85b93bb3db436cf405a88c945e2a7a;hp=b4dfc53dff7e454197e0837b458cccd27155f372;hpb=30255b794ab3ddfaf2e813d173b445800102d748;p=github%2Fshaarli%2FShaarli.git

diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index b4dfc53d..c22b7d9c 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -44,8 +44,9 @@ Required PHP extensions:
 
 Extension | Required? | Usage
 ---|:---:|---
-[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
+[`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
+[`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->Ã¨->f`)
@@ -76,8 +77,8 @@ sudo apt install certbot
 sudo systemctl stop apache2
 sudo systemctl stop nginx
 
-# generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
-# (DNS records must be correctly pointing to  it, firewall/NAT on port 80/443 must be open)
+# generate initial certificates
+# Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
 
@@ -95,11 +96,10 @@ If you don't want to rely on a certificate authority, or the server can only be
 
 ## Examples
 
-The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
-
-In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
+The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
 
 ```bash
+# create the document root
 sudo mkdir -p /var/www/shaarli.mydomain.org/
 ```
 
@@ -122,12 +122,6 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
     ServerName shaarli.mydomain.org
     DocumentRoot /var/www/shaarli.mydomain.org/
 
-    # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
-    LogLevel  warn
-    # Log file locations
-    ErrorLog /var/log/apache2/error.log
-    CustomLog /var/log/apache2/access.log combined
-
     # Redirect HTTP requests to HTTPS
     RewriteEngine on
     RewriteRule ^.well-known/acme-challenge/ - [L]
@@ -140,17 +134,17 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
     ServerName   shaarli.mydomain.org
     DocumentRoot /var/www/shaarli.mydomain.org/
 
-    # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
-    LogLevel  warn
-    # Log file locations
-    ErrorLog  /var/log/apache2/error.log
-    CustomLog /var/log/apache2/access.log combined
-
     # SSL/TLS configuration (for Let's Encrypt certificates)
     SSLEngine             on
     SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
-    Include /etc/letsencrypt/options-ssl-apache.conf
+
+    # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+    SSLOptions +StrictRequire
 
     # SSL/TLS configuration (for self-signed certificates)
     #SSLEngine             on
@@ -166,8 +160,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
     <Directory /var/www/shaarli.mydomain.org/>
         # Required for .htaccess support
         AllowOverride All
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
     <LocationMatch "/\.">
@@ -208,11 +201,10 @@ systemctl restart apache
 
 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
 
-### Nginx
 
-Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
+### Nginx
 
-You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution.
+This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
 
 
 ```bash
@@ -247,6 +239,14 @@ server {
     ssl_certificate      /etc/ssl/shaarli.mydomain.org.crt;
     ssl_certificate_key  /etc/ssl/private/shaarli.mydomain.org.key;
 
+    # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+    ssl_session_cache shared:le_nginx_SSL:10m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
     # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
     client_max_body_size 100m;
 
@@ -306,6 +306,8 @@ sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enab
 sudo systemctl reload nginx
 ```
 
+See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
+
 
 ## Reverse proxies