]>
Commit | Line | Data |
---|---|---|
91a21c27 | 1 | # Reverse proxy |
2 | ||
3 | If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example: | |
4 | ||
5 | - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`). | |
6 | - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine. | |
7 | - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`. | |
8 | - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy. | |
9 | ||
10 | In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`. | |
11 | ||
12 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. | |
13 | ||
14 | ||
15 | ## Apache | |
16 | ||
17 | ```apache | |
18 | <VirtualHost *:80> | |
19 | ServerName shaarli.mydomain.org | |
02117f7e | 20 | DocumentRoot /var/www/shaarli.mydomain.org/ |
21 | ||
f682f1b8 | 22 | # For SSL/TLS certificates acquired with certbot or self-signed certificates |
02117f7e | 23 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests |
24 | RewriteEngine on | |
25 | RewriteRule ^.well-known/acme-challenge/ - [L] | |
26 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org | |
27 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] | |
91a21c27 | 28 | </VirtualHost> |
29 | ||
f682f1b8 | 30 | # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md |
31 | #MDomain shaarli.mydomain.org | |
32 | #MDCertificateAgreement accepted | |
33 | #MDContactEmail admin@shaarli.mydomain.org | |
34 | #MDPrivateKeys RSA 4096 | |
35 | ||
91a21c27 | 36 | <VirtualHost *:443> |
37 | ServerName shaarli.mydomain.org | |
38 | ||
f682f1b8 | 39 | # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone |
40 | SSLEngine on | |
41 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem | |
42 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | |
43 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | |
44 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
45 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
46 | SSLHonorCipherOrder off | |
47 | SSLSessionTickets off | |
48 | SSLOptions +StrictRequire | |
49 | ||
50 | # SSL/TLS configuration for self-signed certificates | |
51 | #SSLEngine on | |
52 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | |
53 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | |
91a21c27 | 54 | |
91a21c27 | 55 | # let the proxied shaarli server/container know HTTPS URLs should be served |
56 | RequestHeader set X-Forwarded-Proto "https" | |
57 | ||
58 | # send the original SERVER_NAME to the proxied host | |
59 | ProxyPreserveHost On | |
60 | ||
61 | # pass requests to the proxied host | |
62 | # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers | |
63 | ProxyPass / http://127.0.0.1:10080/ | |
64 | ProxyPassReverse / http://127.0.0.1:10080/ | |
65 | </VirtualHost> | |
66 | ``` | |
67 | ||
68 | ||
69 | ## HAProxy | |
70 | ||
71 | ||
72 | ```conf | |
73 | global | |
74 | [...] | |
75 | ||
76 | defaults | |
77 | [...] | |
78 | ||
79 | frontend http-in | |
80 | bind :80 | |
81 | redirect scheme https code 301 if !{ ssl_fc } | |
82 | bind :443 ssl crt /path/to/cert.pem | |
83 | default_backend shaarli | |
84 | ||
85 | backend shaarli | |
86 | mode http | |
87 | option http-server-close | |
88 | option forwardfor | |
89 | reqadd X-Forwarded-Proto: https | |
90 | server shaarli1 127.0.0.1:10080 | |
91 | ``` | |
92 | ||
f682f1b8 | 93 | - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) |
91a21c27 | 94 | |
95 | ## Nginx | |
96 | ||
97 | ||
98 | ```nginx | |
99 | http { | |
100 | [...] | |
101 | ||
102 | index index.html index.php; | |
103 | ||
104 | root /home/john/web; | |
105 | access_log /var/log/nginx/access.log combined; | |
106 | error_log /var/log/nginx/error.log; | |
107 | ||
108 | server { | |
109 | listen 80; | |
110 | server_name shaarli.mydomain.org; | |
111 | # redirect HTTP to HTTPS | |
112 | return 301 https://shaarli.mydomain.org$request_uri; | |
113 | } | |
114 | ||
115 | server { | |
116 | listen 443 ssl http2; | |
117 | server_name shaarli.mydomain.org; | |
118 | ||
119 | ssl_certificate /path/to/certificate | |
120 | ssl_certificate_key /path/to/private/key | |
121 | ||
122 | location / { | |
123 | proxy_set_header X-Real-IP $remote_addr; | |
124 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
125 | proxy_set_header X-Forwarded-Proto $scheme; | |
126 | proxy_set_header X-Forwarded-Host $host; | |
127 | ||
128 | # pass requests to the proxied host | |
129 | proxy_pass http://localhost:10080/; | |
130 | proxy_set_header Host $host; | |
131 | proxy_connect_timeout 30s; | |
132 | proxy_read_timeout 120s; | |
133 | } | |
134 | } | |
135 | } | |
136 | ``` | |
137 | ||
f682f1b8 | 138 | ## References |
139 | ||
140 | - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) | |
141 | - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) | |
142 | - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) |