[github/shaarli/Shaarli.git] / doc / md / Reverse-proxy.md

# Reverse proxy

If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:

- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.

In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.

See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.


## Apache

```apache
<VirtualHost *:80>
    ServerName shaarli.mydomain.org
    DocumentRoot /var/www/shaarli.mydomain.org/

    # For SSL/TLS certificates acquired with certbot or self-signed certificates
    # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
    RewriteEngine on
    RewriteRule ^.well-known/acme-challenge/ - [L]
    RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
    RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
#MDomain shaarli.mydomain.org
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096

<VirtualHost *:443>
    ServerName shaarli.mydomain.org

    # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
    SSLEngine             on
    SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
    # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    SSLOptions +StrictRequire

    # SSL/TLS configuration for self-signed certificates
    #SSLEngine             on
    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # let the proxied shaarli server/container know HTTPS URLs should be served
    RequestHeader set X-Forwarded-Proto "https"

    # send the original SERVER_NAME to the proxied host
    ProxyPreserveHost On
    
    # pass requests to the proxied host
    # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
    ProxyPass        / http://127.0.0.1:10080/
    ProxyPassReverse / http://127.0.0.1:10080/
</VirtualHost>
```


## HAProxy


```conf
global
    [...]

defaults
    [...]

frontend http-in
    bind :80
    redirect scheme https code 301 if !{ ssl_fc }
    bind :443 ssl crt /path/to/cert.pem
    default_backend shaarli

backend shaarli
    mode http
    option http-server-close
    option forwardfor
    reqadd X-Forwarded-Proto: https
    server shaarli1 127.0.0.1:10080
```

- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)

## Nginx


```nginx
http {
    [...]

    index index.html index.php;

    root        /home/john/web;
    access_log  /var/log/nginx/access.log combined;
    error_log   /var/log/nginx/error.log;

    server {
        listen       80;
        server_name  shaarli.mydomain.org;
        # redirect HTTP to HTTPS
        return       301 https://shaarli.mydomain.org$request_uri;
    }

    server {
        listen       443 ssl http2;
        server_name  shaarli.mydomain.org;

        ssl_certificate       /path/to/certificate
        ssl_certificate_key   /path/to/private/key

        location / {
            proxy_set_header  X-Real-IP         $remote_addr;
            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  X-Forwarded-Host  $host;

            # pass requests to the proxied host
            proxy_pass             http://localhost:10080/;
            proxy_set_header Host  $host;
            proxy_connect_timeout  30s;
            proxy_read_timeout     120s;
        }
    }
}
```

## References

- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
Commit	Line	Data
91a21c27	1	# Reverse proxy
	2
	3	If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
	4
	5	- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
	6	- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
	7	- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
	8	- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
	9
	10	In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
	11
	12	See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
	13
	14
	15	## Apache
	16
	17	```apache
	18	<VirtualHost *:80>
	19	ServerName shaarli.mydomain.org
02117f7e	20	DocumentRoot /var/www/shaarli.mydomain.org/
02117f7e	21
f682f1b8	22	# For SSL/TLS certificates acquired with certbot or self-signed certificates
02117f7e	23	# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
	24	RewriteEngine on
	25	RewriteRule ^.well-known/acme-challenge/ - [L]
	26	RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
	27	RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
91a21c27	28	</VirtualHost>
91a21c27	29
f682f1b8	30	# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
	31	#MDomain shaarli.mydomain.org
	32	#MDCertificateAgreement accepted
	33	#MDContactEmail admin@shaarli.mydomain.org
	34	#MDPrivateKeys RSA 4096
	35
91a21c27	36	<VirtualHost *:443>
	37	ServerName shaarli.mydomain.org
	38
f682f1b8	39	# SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
	40	SSLEngine on
	41	SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
	42	SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
	43	# Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
	44	SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	45	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	46	SSLHonorCipherOrder off
	47	SSLSessionTickets off
	48	SSLOptions +StrictRequire
	49
	50	# SSL/TLS configuration for self-signed certificates
	51	#SSLEngine on
	52	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	53	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
91a21c27	54
91a21c27	55	# let the proxied shaarli server/container know HTTPS URLs should be served
	56	RequestHeader set X-Forwarded-Proto "https"
	57
	58	# send the original SERVER_NAME to the proxied host
	59	ProxyPreserveHost On
	60
	61	# pass requests to the proxied host
	62	# sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
	63	ProxyPass / http://127.0.0.1:10080/
	64	ProxyPassReverse / http://127.0.0.1:10080/
	65	</VirtualHost>
	66	```
	67
	68
	69	## HAProxy
	70
	71
	72	```conf
	73	global
	74	[...]
	75
	76	defaults
	77	[...]
	78
	79	frontend http-in
	80	bind :80
	81	redirect scheme https code 301 if !{ ssl_fc }
	82	bind :443 ssl crt /path/to/cert.pem
	83	default_backend shaarli
	84
	85	backend shaarli
	86	mode http
	87	option http-server-close
	88	option forwardfor
	89	reqadd X-Forwarded-Proto: https
	90	server shaarli1 127.0.0.1:10080
	91	```
	92
f682f1b8	93	- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
91a21c27	94
	95	## Nginx
	96
	97
	98	```nginx
	99	http {
	100	[...]
	101
	102	index index.html index.php;
	103
	104	root /home/john/web;
	105	access_log /var/log/nginx/access.log combined;
	106	error_log /var/log/nginx/error.log;
	107
	108	server {
	109	listen 80;
	110	server_name shaarli.mydomain.org;
	111	# redirect HTTP to HTTPS
	112	return 301 https://shaarli.mydomain.org$request_uri;
	113	}
	114
	115	server {
	116	listen 443 ssl http2;
	117	server_name shaarli.mydomain.org;
	118
	119	ssl_certificate /path/to/certificate
	120	ssl_certificate_key /path/to/private/key
	121
	122	location / {
	123	proxy_set_header X-Real-IP $remote_addr;
	124	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	125	proxy_set_header X-Forwarded-Proto $scheme;
	126	proxy_set_header X-Forwarded-Host $host;
	127
	128	# pass requests to the proxied host
	129	proxy_pass http://localhost:10080/;
	130	proxy_set_header Host $host;
	131	proxy_connect_timeout 30s;
	132	proxy_read_timeout 120s;
	133	}
	134	}
	135	}
	136	```
	137
f682f1b8	138	## References
	139
	140	- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
	141	- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
	142	- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)