[github/shaarli/Shaarli.git] / doc / Server-security.html

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta name="generator" content="pandoc">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
  <title>Shaarli – Server security</title>
  <style type="text/css">code{white-space: pre;}</style>
  <style type="text/css">
div.sourceCode { overflow-x: auto; }
table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
  margin: 0; padding: 0; vertical-align: baseline; border: none; }
table.sourceCode { width: 100%; line-height: 100%; }
td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
td.sourceCode { padding-left: 5px; }
code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
code > span.dt { color: #902000; } /* DataType */
code > span.dv { color: #40a070; } /* DecVal */
code > span.bn { color: #40a070; } /* BaseN */
code > span.fl { color: #40a070; } /* Float */
code > span.ch { color: #4070a0; } /* Char */
code > span.st { color: #4070a0; } /* String */
code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
code > span.ot { color: #007020; } /* Other */
code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
code > span.fu { color: #06287e; } /* Function */
code > span.er { color: #ff0000; font-weight: bold; } /* Error */
code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
code > span.cn { color: #880000; } /* Constant */
code > span.sc { color: #4070a0; } /* SpecialChar */
code > span.vs { color: #4070a0; } /* VerbatimString */
code > span.ss { color: #bb6688; } /* SpecialString */
code > span.im { } /* Import */
code > span.va { color: #19177c; } /* Variable */
code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
code > span.op { color: #666666; } /* Operator */
code > span.bu { } /* BuiltIn */
code > span.ex { } /* Extension */
code > span.pp { color: #bc7a00; } /* Preprocessor */
code > span.at { color: #7d9029; } /* Attribute */
code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
  </style>
  <link rel="stylesheet" href="github-markdown.css">
  <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
  <![endif]-->
</head>
<body>
<div id="local-sidebar">
<ul>
<li><a href="Home.html">Home</a></li>
<li>Setup
<ul>
<li><a href="Download-and-Installation.html">Download and Installation</a></li>
<li><a href="Upgrade-and-migration.html">Upgrade and migration</a></li>
<li><a href="Server-requirements.html">Server requirements</a></li>
<li><a href="Server-configuration.html">Server configuration</a></li>
<li><a href="Server-security.html">Server security</a></li>
<li><a href="Shaarli-configuration.html">Shaarli configuration</a></li>
<li><a href="Plugins.html">Plugins</a></li>
</ul></li>
<li><a href="Docker.html">Docker</a></li>
<li><a href="Usage.html">Usage</a>
<ul>
<li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li>
<li><a href="Browsing-and-Searching.html">Browsing and Searching</a></li>
<li><a href="Firefox-share.html">Firefox share</a></li>
<li><a href="RSS-feeds.html">RSS feeds</a></li>
</ul></li>
<li>How To
<ul>
<li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li>
<li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li>
<li><a href="Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)</a></li>
<li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li>
<li><a href="Datastore-hacks.html">Datastore hacks</a></li>
</ul></li>
<li><a href="Troubleshooting.html">Troubleshooting</a></li>
<li><a href="Development.html">Development</a>
<ul>
<li><a href="GnuPG-signature.html">GnuPG signature</a></li>
<li><a href="Coding-guidelines.html">Coding guidelines</a></li>
<li><a href="Directory-structure.html">Directory structure</a></li>
<li><a href="3rd-party-libraries.html">3rd party libraries</a></li>
<li><a href="Plugin-System.html">Plugin System</a></li>
<li><a href="Release-Shaarli.html">Release Shaarli</a></li>
<li><a href="Security.html">Security</a></li>
<li><a href="Static-analysis.html">Static analysis</a></li>
<li><a href="Theming.html">Theming</a></li>
<li><a href="Unit-tests.html">Unit tests</a></li>
</ul></li>
<li>About
<ul>
<li><a href="FAQ.html">FAQ</a></li>
<li><a href="Community-&amp;-Related-software.html">Community &amp; Related software</a></li>
</ul></li>
</ul>
</div>
<h1 id="server-security">Server security</h1>
<h2 id="php.ini">php.ini</h2>
<p>PHP settings are defined in:</p>
<ul>
<li>a main configuration file, usually found under <code>/etc/php5/php.ini</code>; some distributions provide different configuration environments, e.g.
<ul>
<li><code>/etc/php5/php.ini</code> - used when running console scripts</li>
<li><code>/etc/php5/apache2/php.ini</code> - used when a client requests PHP resources from Apache</li>
<li><code>/etc/php5/php-fpm.conf</code> - used when PHP requests are proxied to PHP-FPM</li>
</ul></li>
<li>additional configuration files/entries, depending on the installed/enabled extensions:
<ul>
<li><code>/etc/php/conf.d/xdebug.ini</code></li>
</ul></li>
</ul>
<h3 id="locate-.ini-files">Locate .ini files</h3>
<h4 id="console-environment">Console environment</h4>
<div class="sourceCode"><pre class="sourceCode bash"><code class="sourceCode bash">$ <span class="ex">php</span> --ini
<span class="ex">Configuration</span> File (php.ini) <span class="ex">Path</span>: /etc/php
<span class="ex">Loaded</span> Configuration File:         /etc/php/php.ini
<span class="ex">Scan</span> for additional .ini files in: /etc/php/conf.d
<span class="ex">Additional</span> .ini files parsed:      /etc/php/conf.d/xdebug.ini</code></pre></div>
<h4 id="server-environment">Server environment</h4>
<ul>
<li>create a <code>phpinfo.php</code> script located in a path supported by the web server, e.g.
<ul>
<li>Apache (with user dirs enabled): <code>/home/myself/public_html/phpinfo.php</code></li>
<li><code>/var/www/test/phpinfo.php</code></li>
</ul></li>
<li>make sure the script is readable by the web server user/group (usually, <code>www</code>, <code>www-data</code> or <code>httpd</code>)</li>
<li>access the script from a web browser</li>
<li><p>look at the <em>Loaded Configuration File</em> and <em>Scan this dir for additional .ini files</em> entries</p>
<div class="sourceCode"><pre class="sourceCode php"><code class="sourceCode php"><span class="kw">&lt;?php</span> <span class="fu">phpinfo</span><span class="ot">();</span> <span class="kw">?&gt;</span></code></pre></div></li>
</ul>
<h2 id="fail2ban">fail2ban</h2>
<p><code>fail2ban</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses <code>iptables</code> profiles to block brute-force attempts:</p>
<ul>
<li><a href="http://www.fail2ban.org/wiki/index.php/Main_Page">Official website</a><a href=".html"></a></li>
<li><a href="https://github.com/fail2ban/fail2ban">Source code</a><a href=".html"></a></li>
</ul>
<h3 id="read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs</h3>
<p>Example configuration:</p>
<ul>
<li>allow 3 login attempts per IP address</li>
<li>after 3 failures, permanently ban the corresponding IP adddress</li>
</ul>
<p><code>/etc/fail2ban/jail.local</code></p>
<div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[shaarli-auth][]</span><span class="dt">(.html)</span>
<span class="dt">enabled  </span><span class="ot">=</span><span class="st"> </span><span class="kw">true</span>
<span class="dt">port     </span><span class="ot">=</span><span class="st"> https,http</span>
<span class="dt">filter   </span><span class="ot">=</span><span class="st"> shaarli-auth</span>
<span class="dt">logpath  </span><span class="ot">=</span><span class="st"> /var/www/path/to/shaarli/data/log.txt</span>
<span class="dt">maxretry </span><span class="ot">=</span><span class="st"> </span><span class="dv">3</span>
<span class="dt">bantime </span><span class="ot">=</span><span class="st"> -</span><span class="dv">1</span></code></pre></div>
<p><code>/etc/fail2ban/filter.d/shaarli-auth.conf</code></p>
<div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[INCLUDES][]</span><span class="dt">(.html)</span>
<span class="dt">before </span><span class="ot">=</span><span class="st"> common.conf</span>
<span class="kw">[Definition][]</span><span class="dt">(.html)</span>
<span class="dt">failregex </span><span class="ot">=</span><span class="st"> \s-\s&lt;HOST&gt;\s-\sLogin failed for user.*$</span>
<span class="dt">ignoreregex </span><span class="ot">=</span><span class="st"> </span></code></pre></div>
<h2 id="robots---restricting-search-engines-and-web-crawler-traffic">Robots - Restricting search engines and web crawler traffic</h2>
<p>Creating a <code>robots.txt</code> with the following contents at the root of your Shaarli installation will prevent <em>honest</em> web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.</p>
<pre><code>User-agent: *
Disallow: /</code></pre>
<p>See:</p>
<ul>
<li><a href="http://www.robotstxt.org/" class="uri">http://www.robotstxt.org/</a></li>
<li><a href="http://www.robotstxt.org/robotstxt.html" class="uri">http://www.robotstxt.org/robotstxt.html</a></li>
<li><a href="http://www.robotstxt.org/meta.html" class="uri">http://www.robotstxt.org/meta.html</a></li>
</ul>
</body>
</html>
Commit	Line	Data
5409ade2 A	1	<!DOCTYPE html>
	2	<html>
	3	<head>
	4	<meta charset="utf-8">
	5	<meta name="generator" content="pandoc">
	6	<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
	7	<title>Shaarli – Server security</title>
	8	<style type="text/css">code{white-space: pre;}</style>
	9	<style type="text/css">
	10	div.sourceCode { overflow-x: auto; }
	11	table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
	12	margin: 0; padding: 0; vertical-align: baseline; border: none; }
	13	table.sourceCode { width: 100%; line-height: 100%; }
	14	td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
	15	td.sourceCode { padding-left: 5px; }
	16	code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
	17	code > span.dt { color: #902000; } /* DataType */
	18	code > span.dv { color: #40a070; } /* DecVal */
	19	code > span.bn { color: #40a070; } /* BaseN */
	20	code > span.fl { color: #40a070; } /* Float */
	21	code > span.ch { color: #4070a0; } /* Char */
	22	code > span.st { color: #4070a0; } /* String */
	23	code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
	24	code > span.ot { color: #007020; } /* Other */
	25	code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
	26	code > span.fu { color: #06287e; } /* Function */
	27	code > span.er { color: #ff0000; font-weight: bold; } /* Error */
	28	code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
	29	code > span.cn { color: #880000; } /* Constant */
	30	code > span.sc { color: #4070a0; } /* SpecialChar */
	31	code > span.vs { color: #4070a0; } /* VerbatimString */
	32	code > span.ss { color: #bb6688; } /* SpecialString */
	33	code > span.im { } /* Import */
	34	code > span.va { color: #19177c; } /* Variable */
	35	code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
	36	code > span.op { color: #666666; } /* Operator */
	37	code > span.bu { } /* BuiltIn */
	38	code > span.ex { } /* Extension */
	39	code > span.pp { color: #bc7a00; } /* Preprocessor */
	40	code > span.at { color: #7d9029; } /* Attribute */
	41	code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
	42	code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
	43	code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
	44	code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
	45	</style>
	46	<link rel="stylesheet" href="github-markdown.css">
	47	<!--[if lt IE 9]>
	48	<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
	49	<![endif]-->
	50	</head>
	51	<body>
	52	<div id="local-sidebar">
	53	<ul>
	54	<li><a href="Home.html">Home</a></li>
fdf88d19	55	<li>Setup
5409ade2	56	<ul>
fdf88d19 A	57	<li><a href="Download-and-Installation.html">Download and Installation</a></li>
fdf88d19 A	58	<li><a href="Upgrade-and-migration.html">Upgrade and migration</a></li>
5409ade2 A	59	<li><a href="Server-requirements.html">Server requirements</a></li>
	60	<li><a href="Server-configuration.html">Server configuration</a></li>
	61	<li><a href="Server-security.html">Server security</a></li>
5409ade2	62	<li><a href="Shaarli-configuration.html">Shaarli configuration</a></li>
08dcd8ea	63	<li><a href="Plugins.html">Plugins</a></li>
5409ade2 A	64	</ul></li>
5409ade2 A	65	<li><a href="Docker.html">Docker</a></li>
5409ade2 A	66	<li><a href="Usage.html">Usage</a>
	67	<ul>
	68	<li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li>
	69	<li><a href="Browsing-and-Searching.html">Browsing and Searching</a></li>
	70	<li><a href="Firefox-share.html">Firefox share</a></li>
	71	<li><a href="RSS-feeds.html">RSS feeds</a></li>
	72	</ul></li>
	73	<li>How To
	74	<ul>
	75	<li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li>
5409ade2 A	76	<li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li>
	77	<li><a href="Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)</a></li>
	78	<li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li>
	79	<li><a href="Datastore-hacks.html">Datastore hacks</a></li>
	80	</ul></li>
	81	<li><a href="Troubleshooting.html">Troubleshooting</a></li>
	82	<li><a href="Development.html">Development</a>
	83	<ul>
	84	<li><a href="GnuPG-signature.html">GnuPG signature</a></li>
	85	<li><a href="Coding-guidelines.html">Coding guidelines</a></li>
	86	<li><a href="Directory-structure.html">Directory structure</a></li>
	87	<li><a href="3rd-party-libraries.html">3rd party libraries</a></li>
	88	<li><a href="Plugin-System.html">Plugin System</a></li>
	89	<li><a href="Release-Shaarli.html">Release Shaarli</a></li>
	90	<li><a href="Security.html">Security</a></li>
	91	<li><a href="Static-analysis.html">Static analysis</a></li>
	92	<li><a href="Theming.html">Theming</a></li>
	93	<li><a href="Unit-tests.html">Unit tests</a></li>
	94	</ul></li>
	95	<li>About
	96	<ul>
	97	<li><a href="FAQ.html">FAQ</a></li>
	98	<li><a href="Community-&-Related-software.html">Community & Related software</a></li>
5409ade2 A	99	</ul></li>
	100	</ul>
	101	</div>
	102	<h1 id="server-security">Server security</h1>
	103	<h2 id="php.ini">php.ini</h2>
	104	<p>PHP settings are defined in:</p>
	105	<ul>
	106	<li>a main configuration file, usually found under <code>/etc/php5/php.ini</code>; some distributions provide different configuration environments, e.g.
	107	<ul>
	108	<li><code>/etc/php5/php.ini</code> - used when running console scripts</li>
	109	<li><code>/etc/php5/apache2/php.ini</code> - used when a client requests PHP resources from Apache</li>
	110	<li><code>/etc/php5/php-fpm.conf</code> - used when PHP requests are proxied to PHP-FPM</li>
	111	</ul></li>
	112	<li>additional configuration files/entries, depending on the installed/enabled extensions:
	113	<ul>
	114	<li><code>/etc/php/conf.d/xdebug.ini</code></li>
	115	</ul></li>
	116	</ul>
	117	<h3 id="locate-.ini-files">Locate .ini files</h3>
	118	<h4 id="console-environment">Console environment</h4>
fdf88d19 A	119	<div class="sourceCode"><pre class="sourceCode bash"><code class="sourceCode bash">$ <span class="ex">php</span> --ini
	120	<span class="ex">Configuration</span> File (php.ini) <span class="ex">Path</span>: /etc/php
	121	<span class="ex">Loaded</span> Configuration File: /etc/php/php.ini
	122	<span class="ex">Scan</span> for additional .ini files in: /etc/php/conf.d
	123	<span class="ex">Additional</span> .ini files parsed: /etc/php/conf.d/xdebug.ini</code></pre></div>
5409ade2 A	124	<h4 id="server-environment">Server environment</h4>
	125	<ul>
	126	<li>create a <code>phpinfo.php</code> script located in a path supported by the web server, e.g.
	127	<ul>
	128	<li>Apache (with user dirs enabled): <code>/home/myself/public_html/phpinfo.php</code></li>
	129	<li><code>/var/www/test/phpinfo.php</code></li>
	130	</ul></li>
	131	<li>make sure the script is readable by the web server user/group (usually, <code>www</code>, <code>www-data</code> or <code>httpd</code>)</li>
	132	<li>access the script from a web browser</li>
	133	<li><p>look at the <em>Loaded Configuration File</em> and <em>Scan this dir for additional .ini files</em> entries</p>
	134	<div class="sourceCode"><pre class="sourceCode php"><code class="sourceCode php"><span class="kw"><?php</span> <span class="fu">phpinfo</span><span class="ot">();</span> <span class="kw">?></span></code></pre></div></li>
	135	</ul>
	136	<h2 id="fail2ban">fail2ban</h2>
	137	<p><code>fail2ban</code> is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses <code>iptables</code> profiles to block brute-force attempts:</p>
	138	<ul>
	139	<li><a href="http://www.fail2ban.org/wiki/index.php/Main_Page">Official website</a><a href=".html"></a></li>
	140	<li><a href="https://github.com/fail2ban/fail2ban">Source code</a><a href=".html"></a></li>
	141	</ul>
	142	<h3 id="read-shaarli-logs-to-ban-ips">Read Shaarli logs to ban IPs</h3>
	143	<p>Example configuration:</p>
	144	<ul>
	145	<li>allow 3 login attempts per IP address</li>
	146	<li>after 3 failures, permanently ban the corresponding IP adddress</li>
	147	</ul>
	148	<p><code>/etc/fail2ban/jail.local</code></p>
	149	<div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[shaarli-auth][]</span><span class="dt">(.html)</span>
	150	<span class="dt">enabled </span><span class="ot">=</span><span class="st"> </span><span class="kw">true</span>
	151	<span class="dt">port </span><span class="ot">=</span><span class="st"> https,http</span>
	152	<span class="dt">filter </span><span class="ot">=</span><span class="st"> shaarli-auth</span>
	153	<span class="dt">logpath </span><span class="ot">=</span><span class="st"> /var/www/path/to/shaarli/data/log.txt</span>
	154	<span class="dt">maxretry </span><span class="ot">=</span><span class="st"> </span><span class="dv">3</span>
	155	<span class="dt">bantime </span><span class="ot">=</span><span class="st"> -</span><span class="dv">1</span></code></pre></div>
	156	<p><code>/etc/fail2ban/filter.d/shaarli-auth.conf</code></p>
	157	<div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="kw">[INCLUDES][]</span><span class="dt">(.html)</span>
	158	<span class="dt">before </span><span class="ot">=</span><span class="st"> common.conf</span>
	159	<span class="kw">[Definition][]</span><span class="dt">(.html)</span>
	160	<span class="dt">failregex </span><span class="ot">=</span><span class="st"> \s-\s<HOST>\s-\sLogin failed for user.*$</span>
	161	<span class="dt">ignoreregex </span><span class="ot">=</span><span class="st"> </span></code></pre></div>
fdf88d19 A	162	<h2 id="robots---restricting-search-engines-and-web-crawler-traffic">Robots - Restricting search engines and web crawler traffic</h2>
	163	<p>Creating a <code>robots.txt</code> with the following contents at the root of your Shaarli installation will prevent <em>honest</em> web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.</p>
	164	<pre><code>User-agent: *
	165	Disallow: /</code></pre>
	166	<p>See:</p>
	167	<ul>
	168	<li><a href="http://www.robotstxt.org/" class="uri">http://www.robotstxt.org/</a></li>
	169	<li><a href="http://www.robotstxt.org/robotstxt.html" class="uri">http://www.robotstxt.org/robotstxt.html</a></li>
	170	<li><a href="http://www.robotstxt.org/meta.html" class="uri">http://www.robotstxt.org/meta.html</a></li>
	171	</ul>
5409ade2 A	172	</body>
5409ade2 A	173	</html>