| 91a21c27 |
1 | # Reverse proxy |
| 2 | |
| 3 | If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example: |
| 4 | |
| 5 | - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`). |
| 6 | - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine. |
| 7 | - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`. |
| 8 | - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy. |
| 9 | |
| 10 | In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`. |
| 11 | |
| 12 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. |
| 13 | |
| 14 | |
| 15 | ## Apache |
| 16 | |
| 17 | ```apache |
| 18 | <VirtualHost *:80> |
| 19 | ServerName shaarli.mydomain.org |
| 20 | # Redirect HTTP to HTTPS |
| 21 | Redirect permanent / https://shaarli.mydomain.org |
| 22 | </VirtualHost> |
| 23 | |
| 24 | <VirtualHost *:443> |
| 25 | ServerName shaarli.mydomain.org |
| 26 | |
| 27 | SSLEngine on |
| 28 | SSLCertificateFile /path/to/certificate |
| 29 | SSLCertificateKeyFile /path/to/private/key |
| 30 | |
| 31 | LogLevel warn |
| 32 | ErrorLog /var/log/apache2/error.log |
| 33 | CustomLog /var/log/apache2/access.log combined |
| 34 | |
| 35 | # let the proxied shaarli server/container know HTTPS URLs should be served |
| 36 | RequestHeader set X-Forwarded-Proto "https" |
| 37 | |
| 38 | # send the original SERVER_NAME to the proxied host |
| 39 | ProxyPreserveHost On |
| 40 | |
| 41 | # pass requests to the proxied host |
| 42 | # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers |
| 43 | ProxyPass / http://127.0.0.1:10080/ |
| 44 | ProxyPassReverse / http://127.0.0.1:10080/ |
| 45 | </VirtualHost> |
| 46 | ``` |
| 47 | |
| 48 | |
| 49 | ## HAProxy |
| 50 | |
| 51 | |
| 52 | ```conf |
| 53 | global |
| 54 | [...] |
| 55 | |
| 56 | defaults |
| 57 | [...] |
| 58 | |
| 59 | frontend http-in |
| 60 | bind :80 |
| 61 | redirect scheme https code 301 if !{ ssl_fc } |
| 62 | bind :443 ssl crt /path/to/cert.pem |
| 63 | default_backend shaarli |
| 64 | |
| 65 | backend shaarli |
| 66 | mode http |
| 67 | option http-server-close |
| 68 | option forwardfor |
| 69 | reqadd X-Forwarded-Proto: https |
| 70 | server shaarli1 127.0.0.1:10080 |
| 71 | ``` |
| 72 | |
| 73 | |
| 74 | ## Nginx |
| 75 | |
| 76 | |
| 77 | ```nginx |
| 78 | http { |
| 79 | [...] |
| 80 | |
| 81 | index index.html index.php; |
| 82 | |
| 83 | root /home/john/web; |
| 84 | access_log /var/log/nginx/access.log combined; |
| 85 | error_log /var/log/nginx/error.log; |
| 86 | |
| 87 | server { |
| 88 | listen 80; |
| 89 | server_name shaarli.mydomain.org; |
| 90 | # redirect HTTP to HTTPS |
| 91 | return 301 https://shaarli.mydomain.org$request_uri; |
| 92 | } |
| 93 | |
| 94 | server { |
| 95 | listen 443 ssl http2; |
| 96 | server_name shaarli.mydomain.org; |
| 97 | |
| 98 | ssl_certificate /path/to/certificate |
| 99 | ssl_certificate_key /path/to/private/key |
| 100 | |
| 101 | location / { |
| 102 | proxy_set_header X-Real-IP $remote_addr; |
| 103 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 104 | proxy_set_header X-Forwarded-Proto $scheme; |
| 105 | proxy_set_header X-Forwarded-Host $host; |
| 106 | |
| 107 | # pass requests to the proxied host |
| 108 | proxy_pass http://localhost:10080/; |
| 109 | proxy_set_header Host $host; |
| 110 | proxy_connect_timeout 30s; |
| 111 | proxy_read_timeout 120s; |
| 112 | } |
| 113 | } |
| 114 | } |
| 115 | ``` |
| 116 | |
projects / github / shaarli / Shaarli.git / blame