[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md


- [Prerequisites](#prerequisistes)
- [Apache](#apache)
- [Nginx](#nginx)
- [Proxies](#proxies)
- [See also](#see-also)

## Prerequisites
### Shaarli

- A web server and PHP interpreter module/service have been installed.
- You have write access to the Shaarli installation directory.
- The correct read/write permissions have been granted to the web server user and group.
- Your PHP interpreter is compatible with supported PHP versions:

Version | Status | Shaarli compatibility
:---:|:---:|:---:
7.2 | Supported | Yes
7.1 | Supported | Yes
7.0 | Supported | Yes
5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
5.5 | EOL: 2016-07-10 | Yes
5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)

- The following PHP extensions are installed on the server:

Extension | Required? | Usage
---|:---:|---
[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
[`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
[`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->è->f`)
[`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
[`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)

--------------------------------------------------------------------------------

### SSL/TLS configuration 

To setup HTTPS / SSL on your webserver (recommended), you must generate a public/private **key pair** and a **certificate**, and install, configure and activate the appropriate **webserver SSL extension**.

#### Let's Encrypt

[Let's Encrypt](https://en.wikipedia.org/wiki/Let%27s_Encrypt) is a certificate authority that provides free TLS/X.509 certificates via an automated process.

 * Install `certbot` using the appropriate method described on https://certbot.eff.org/.
 
Location of the `certbot` program and template configuration files may vary depending on which installation method was used. Change the file paths below accordingly. Here is an easy way to create a signed certificate using `certbot`, it assumes `certbot` was installed through APT on a Debian-based distribution:

 * Stop the apache2/nginx service.
 * Run `certbot --agree-tos --standalone --preferred-challenges tls-sni --email "youremail@example.com" --domain yourdomain.example.com`
 * For the Apache webserver, copy `/usr/lib/python2.7/dist-packages/certbot_apache/options-ssl-apache.conf` to `/etc/letsencrypt/options-ssl-apache.conf` (paths may vary depending on installation method)
 * For Nginx: TODO
 * Setup your webserver as described below
 * Restart the apache2/nginx service.

#### Self-signed certificates

If you don't want to request a certificate from Let's Encrypt, or are unable to (for example, webserver on a LAN, or domain name not registered in the public DNS system), you can generate a self-signed certificate. This certificate will trigger security warnings in web browsers, unless you add it to the browser's SSL store manually.

* Apache: run `make-ssl-cert generate-default-snakeoil --force-overwrite`
* Nginx: TODO

--------------------------------------------------------------------------------

## Apache

Here is a basic configuration example for the Apache web server with `mod_php`.

In `/etc/apache2/sites-available/shaarli.conf`:

```apache
<VirtualHost *:443>
    ServerName   shaarli.my-domain.org
    DocumentRoot /absolute/path/to/shaarli/

    # Logging
    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel  warn
    ErrorLog  /var/log/apache2/shaarli-error.log
    CustomLog /var/log/apache2/shaarli-access.log combined

    # Let's Encrypt SSL configuration (recommended)
    SSLEngine             on
    SSLCertificateFile    /etc/letsencrypt/live/yourdomain.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    # Self-signed SSL cert configuration
    #SSLEngine             on
    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # Optional, log PHP errors, useful for debugging
    #php_flag  log_errors on
    #php_flag  display_errors on
    #php_value error_reporting 2147483647
    #php_value error_log /var/log/apache2/shaarli-php-error.log

    <Directory /absolute/path/to/shaarli/>
        #Required for .htaccess support
        AllowOverride All
        Order allow,deny
        Allow from all

        Options Indexes FollowSymLinks MultiViews #TODO is Indexes/Multiviews required?

        # Optional - required for playvideos plugin
        #Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'"
    </Directory>

</VirtualHost>
```

Enable this configuration with `sudo a2ensite shaarli`

_Note: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled._

_Note: Apache module `mod_rewrite` must be enabled to use the REST API._


## Nginx

Here is a basic configuration example for the Nginx web server, using the [php-fpm](http://php-fpm.org) PHP FastCGI Process Manager, and Nginx's [FastCGI](https://en.wikipedia.org/wiki/FastCGI) module.

<!--- TODO refactor everything below this point --->

### Common setup
Once Nginx and PHP-FPM are installed, we need to ensure:

- Nginx and PHP-FPM are running using the _same user and group_
- both these user and group have
    - `read` permissions for Shaarli resources
    - `execute` permissions for Shaarli directories _AND_ their parent directories

On a production server:

- `user:group` will likely be `http:http`, `www:www` or `www-data:www-data`
- files will be located under `/var/www`, `/var/http` or `/usr/share/nginx`

On a development server:

- files may be located in a user's home directory
- in this case, make sure both Nginx and PHP-FPM are running as the local user/group!

For all following configuration examples, this user/group pair will be used:

- `user:group = john:users`,

which corresponds to the following service configuration:

```ini
; /etc/php/php-fpm.conf
user = john
group = users

[...]
listen.owner = john
listen.group = users
```

```nginx
# /etc/nginx/nginx.conf
user john users;

http {
    [...]
}
```

### (Optional) Increase the maximum file upload size
Some bookmark dumps generated by web browsers can be _huge_ due to the presence of Base64-encoded images and favicons, as well as extra verbosity when nesting links in (sub-)folders.

To increase upload size, you will need to modify both nginx and PHP configuration:

```nginx
# /etc/nginx/nginx.conf

http {
    [...]

    client_max_body_size 10m;

    [...]
}
```

```ini
# /etc/php5/fpm/php.ini

[...]
post_max_size = 10M
[...]
upload_max_filesize = 10M
```

### Minimal
_WARNING: Use for development only!_ 

```nginx
user john users;
worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include            mime.types;
    default_type       application/octet-stream;
    keepalive_timeout  20;

    index index.html index.php;

    server {
        listen       80;
        server_name  localhost;
        root         /home/john/web;

        access_log  /var/log/nginx/access.log;
        error_log   /var/log/nginx/error.log;

        location /shaarli/ {
            try_files $uri /shaarli/index.php$is_args$args;
            access_log  /var/log/nginx/shaarli.access.log;
            error_log   /var/log/nginx/shaarli.error.log;
        }

        location ~ (index)\.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
            fastcgi_index  index.php;
            include        fastcgi.conf;
        }
    }
}
```

### Modular
The previous setup is sufficient for development purposes, but has several major caveats:

- every content that does not match the PHP rule will be sent to client browsers:
    - dotfiles - in our case, `.htaccess`
    - temporary files, e.g. Vim or Emacs files: `index.php~`
- asset / static resource caching is not optimized
- if serving several PHP sites, there will be a lot of duplication: `location /shaarli/`, `location /mysite/`, etc.

To solve this, we will split Nginx configuration in several parts, that will be included when needed:

```nginx
# /etc/nginx/deny.conf
location ~ /\. {
    # deny access to dotfiles
    access_log off;
    log_not_found off;
    deny all;
}

location ~ ~$ {
    # deny access to temp editor files, e.g. "script.php~"
    access_log off;
    log_not_found off;
    deny all;
}
```

```nginx
# /etc/nginx/php.conf
location ~ (index)\.php$ {
    # Slim - split URL path into (script_filename, path_info)
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;

    # filter and proxy PHP requests to PHP-FPM
    fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_index  index.php;
    include        fastcgi.conf;
}

location ~ \.php$ {
    # deny access to all other PHP scripts
    deny all;
}
```

```nginx
# /etc/nginx/static_assets.conf
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
    expires    max;
    add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
```

```nginx
# /etc/nginx/nginx.conf
[...]

http {
    [...]

    root        /home/john/web;
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    server {
        # virtual host for a first domain
        listen       80;
        server_name  my.first.domain.org;

        location /shaarli/ {
            # Slim - rewrite URLs
            try_files $uri /shaarli/index.php$is_args$args;

            access_log  /var/log/nginx/shaarli.access.log;
            error_log   /var/log/nginx/shaarli.error.log;
        }

        location = /shaarli/favicon.ico {
            # serve the Shaarli favicon from its custom location
            alias /var/www/shaarli/images/favicon.ico;
        }

        include deny.conf;
        include static_assets.conf;
        include php.conf;
    }

    server {
        # virtual host for a second domain
        listen       80;
        server_name  second.domain.com;

        location /minigal/ {
            access_log  /var/log/nginx/minigal.access.log;
            error_log   /var/log/nginx/minigal.error.log;
        }

        include deny.conf;
        include static_assets.conf;
        include php.conf;
    }
}
```

### Redirect HTTP to HTTPS
Assuming you have generated a (self-signed) key and certificate, and they are
located under `/home/john/ssl/localhost.{key,crt}`, it is pretty straightforward
to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.

```nginx
# /etc/nginx/nginx.conf
[...]

http {
    [...]

    index index.html index.php;

    root        /home/john/web;
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    server {
        listen       80;
        server_name  localhost;

        return 301 https://localhost$request_uri;
    }

    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /home/john/ssl/localhost.crt;
        ssl_certificate_key  /home/john/ssl/localhost.key;

        location /shaarli/ {
            # Slim - rewrite URLs
            try_files $uri /index.php$is_args$args;

            access_log  /var/log/nginx/shaarli.access.log;
            error_log   /var/log/nginx/shaarli.error.log;
        }

        location = /shaarli/favicon.ico {
            # serve the Shaarli favicon from its custom location
            alias /var/www/shaarli/images/favicon.ico;
        }

        include deny.conf;
        include static_assets.conf;
        include php.conf;
    }
}
```

## Proxies

If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set:

- `X-Forwarded-Proto`
- `X-Forwarded-Host`
- `X-Forwarded-For`

See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.

## Robots and crawlers

Shaarli disallows indexing and crawling of your local documentation pages by search engines, using `<meta name="robots">` HTML tags.
Your Shaarli instance and other pages you host may still be indexed by various robots on the public Internet.
You may want to setup a robots.txt file or other crawler control mechanism on your server.
See [[1]](https://en.wikipedia.org/wiki/Robots_exclusion_standard), [[2]](https://support.google.com/webmasters/answer/6062608?hl=en) and [[3]](https://developers.google.com/search/reference/robots_meta_tag)

## See also

 * [Server security](Server-security.md)

#### Webservers

- [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow)
- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
- [Server-side TLS (Apache)](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla)
- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
- [Nginx PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing)
- [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla)
- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)

#### PHP

- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
- [PHP: Supported versions](http://php.net/supported-versions.php)
- [PHP: Unsupported versions](http://php.net/eol.php) _(EOL - End Of Life)_
- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
- [PHP: Bugs](https://bugs.php.net/)
Commit	Line	Data
992af0b9	1
bdfb967c	2	- [Prerequisites](#prerequisistes)
53ed6d7d	3	- [Apache](#apache)
53ed6d7d	4	- [Nginx](#nginx)
bdfb967c	5	- [Proxies](#proxies)
bdfb967c	6	- [See also](#see-also)
992af0b9 V	7
992af0b9 V	8	## Prerequisites
5409ade2	9	### Shaarli
992af0b9	10
bdfb967c	11	- A web server and PHP interpreter module/service have been installed.
	12	- You have write access to the Shaarli installation directory.
	13	- The correct read/write permissions have been granted to the web server user and group.
	14	- Your PHP interpreter is compatible with supported PHP versions:
43ad7c8e	15
bdfb967c	16	Version \| Status \| Shaarli compatibility
	17	:---:\|:---:\|:---:
	18	7.2 \| Supported \| Yes
	19	7.1 \| Supported \| Yes
	20	7.0 \| Supported \| Yes
7062ef4d	21	5.6 \| EOL: 2018-12-31 \| Yes (up to Shaarli 0.10.x)
bdfb967c	22	5.5 \| EOL: 2016-07-10 \| Yes
	23	5.4 \| EOL: 2015-09-14 \| Yes (up to Shaarli 0.8.x)
	24	5.3 \| EOL: 2014-08-14 \| Yes (up to Shaarli 0.8.x)
5409ade2	25
bdfb967c	26	- The following PHP extensions are installed on the server:
43ad7c8e	27
bdfb967c	28	Extension \| Required? \| Usage
	29	---\|:---:\|---
	30	[`openssl`](http://php.net/manual/en/book.openssl.php) \| All \| OpenSSL, HTTPS
	31	[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) \| CentOS, Fedora, RHEL, Windows, some hosting providers \| multibyte (Unicode) string support
787faa42	32	[`php-gd`](http://php.net/manual/en/book.image.php) \| optional \| required to use thumbnails
bdfb967c	33	[`php-intl`](http://php.net/manual/en/book.intl.php) \| optional \| localized text sorting (e.g. `e->è->f`)
	34	[`php-curl`](http://php.net/manual/en/book.curl.php) \| optional \| using cURL for fetching webpages and thumbnails in a more robust way
	35	[`php-gettext`](http://php.net/manual/en/book.gettext.php) \| optional \| Use the translation system in gettext mode (faster)
5409ade2	36
bdfb967c	37	--------------------------------------------------------------------------------
992af0b9	38
bdfb967c	39	### SSL/TLS configuration
992af0b9	40
bdfb967c	41	To setup HTTPS / SSL on your webserver (recommended), you must generate a public/private key pair and a certificate, and install, configure and activate the appropriate webserver SSL extension.
43ad7c8e	42
bdfb967c	43	#### Let's Encrypt
992af0b9	44
bdfb967c	45	[Let's Encrypt](https://en.wikipedia.org/wiki/Let%27s_Encrypt) is a certificate authority that provides free TLS/X.509 certificates via an automated process.
992af0b9	46
bdfb967c	47	* Install `certbot` using the appropriate method described on https://certbot.eff.org/.
	48
	49	Location of the `certbot` program and template configuration files may vary depending on which installation method was used. Change the file paths below accordingly. Here is an easy way to create a signed certificate using `certbot`, it assumes `certbot` was installed through APT on a Debian-based distribution:
992af0b9	50
bdfb967c	51	* Stop the apache2/nginx service.
	52	* Run `certbot --agree-tos --standalone --preferred-challenges tls-sni --email "youremail@example.com" --domain yourdomain.example.com`
	53	* For the Apache webserver, copy `/usr/lib/python2.7/dist-packages/certbot_apache/options-ssl-apache.conf` to `/etc/letsencrypt/options-ssl-apache.conf` (paths may vary depending on installation method)
	54	* For Nginx: TODO
	55	* Setup your webserver as described below
	56	* Restart the apache2/nginx service.
	57
	58	#### Self-signed certificates
	59
	60	If you don't want to request a certificate from Let's Encrypt, or are unable to (for example, webserver on a LAN, or domain name not registered in the public DNS system), you can generate a self-signed certificate. This certificate will trigger security warnings in web browsers, unless you add it to the browser's SSL store manually.
	61
	62	* Apache: run `make-ssl-cert generate-default-snakeoil --force-overwrite`
	63	* Nginx: TODO
	64
	65	--------------------------------------------------------------------------------
	66
	67	## Apache
	68
	69	Here is a basic configuration example for the Apache web server with `mod_php`.
	70
	71	In `/etc/apache2/sites-available/shaarli.conf`:
992af0b9	72
992af0b9	73	```apache
bdfb967c	74	<VirtualHost *:443>
992af0b9 V	75	ServerName shaarli.my-domain.org
	76	DocumentRoot /absolute/path/to/shaarli/
	77
bdfb967c	78	# Logging
bdfb967c	79	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
992af0b9 V	80	LogLevel warn
	81	ErrorLog /var/log/apache2/shaarli-error.log
	82	CustomLog /var/log/apache2/shaarli-access.log combined
992af0b9	83
bdfb967c	84	# Let's Encrypt SSL configuration (recommended)
	85	SSLEngine on
	86	SSLCertificateFile /etc/letsencrypt/live/yourdomain.example.com/fullchain.pem
	87	SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.example.com/privkey.pem
	88	Include /etc/letsencrypt/options-ssl-apache.conf
992af0b9	89
bdfb967c	90	# Self-signed SSL cert configuration
	91	#SSLEngine on
	92	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	93	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
992af0b9	94
bdfb967c	95	# Optional, log PHP errors, useful for debugging
	96	#php_flag log_errors on
	97	#php_flag display_errors on
	98	#php_value error_reporting 2147483647
	99	#php_value error_log /var/log/apache2/shaarli-php-error.log
992af0b9 V	100
992af0b9 V	101	<Directory /absolute/path/to/shaarli/>
bdfb967c	102	#Required for .htaccess support
992af0b9	103	AllowOverride All
992af0b9	104	Order allow,deny
bdfb967c	105	Allow from all
992af0b9	106
bdfb967c	107	Options Indexes FollowSymLinks MultiViews #TODO is Indexes/Multiviews required?
	108
	109	# Optional - required for playvideos plugin
	110	#Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'"
	111	</Directory>
992af0b9	112
992af0b9 V	113	</VirtualHost>
	114	```
	115
bdfb967c	116	Enable this configuration with `sudo a2ensite shaarli`
3cc8c898	117
bdfb967c	118	_Note: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled._
3cc8c898	119
bdfb967c	120	_Note: Apache module `mod_rewrite` must be enabled to use the REST API._
3cc8c898	121
992af0b9 V	122
992af0b9 V	123	## Nginx
43ad7c8e	124
bdfb967c	125	Here is a basic configuration example for the Nginx web server, using the [php-fpm](http://php-fpm.org) PHP FastCGI Process Manager, and Nginx's [FastCGI](https://en.wikipedia.org/wiki/FastCGI) module.
992af0b9	126
bdfb967c	127	<!--- TODO refactor everything below this point --->
992af0b9 V	128
	129	### Common setup
	130	Once Nginx and PHP-FPM are installed, we need to ensure:
43ad7c8e	131
992af0b9 V	132	- Nginx and PHP-FPM are running using the _same user and group_
	133	- both these user and group have
	134	- `read` permissions for Shaarli resources
	135	- `execute` permissions for Shaarli directories _AND_ their parent directories
	136
	137	On a production server:
43ad7c8e	138
992af0b9 V	139	- `user:group` will likely be `http:http`, `www:www` or `www-data:www-data`
	140	- files will be located under `/var/www`, `/var/http` or `/usr/share/nginx`
	141
	142	On a development server:
43ad7c8e	143
992af0b9 V	144	- files may be located in a user's home directory
	145	- in this case, make sure both Nginx and PHP-FPM are running as the local user/group!
	146
3cc8c898	147	For all following configuration examples, this user/group pair will be used:
43ad7c8e	148
992af0b9 V	149	- `user:group = john:users`,
	150
	151	which corresponds to the following service configuration:
	152
	153	```ini
	154	; /etc/php/php-fpm.conf
	155	user = john
	156	group = users
	157
53ed6d7d	158	[...]
992af0b9 V	159	listen.owner = john
	160	listen.group = users
	161	```
	162
	163	```nginx
	164	# /etc/nginx/nginx.conf
	165	user john users;
	166
	167	http {
53ed6d7d	168	[...]
992af0b9 V	169	}
	170	```
	171
3cc8c898 A	172	### (Optional) Increase the maximum file upload size
	173	Some bookmark dumps generated by web browsers can be _huge_ due to the presence of Base64-encoded images and favicons, as well as extra verbosity when nesting links in (sub-)folders.
	174
	175	To increase upload size, you will need to modify both nginx and PHP configuration:
	176
	177	```nginx
	178	# /etc/nginx/nginx.conf
	179
	180	http {
53ed6d7d	181	[...]
3cc8c898 A	182
	183	client_max_body_size 10m;
	184
53ed6d7d	185	[...]
3cc8c898 A	186	}
	187	```
	188
	189	```ini
	190	# /etc/php5/fpm/php.ini
	191
53ed6d7d	192	[...]
3cc8c898	193	post_max_size = 10M
53ed6d7d	194	[...]
3cc8c898 A	195	upload_max_filesize = 10M
	196	```
	197
992af0b9 V	198	### Minimal
	199	_WARNING: Use for development only!_
	200
	201	```nginx
	202	user john users;
	203	worker_processes 1;
	204	events {
	205	worker_connections 1024;
	206	}
	207
	208	http {
	209	include mime.types;
	210	default_type application/octet-stream;
	211	keepalive_timeout 20;
	212
	213	index index.html index.php;
	214
	215	server {
	216	listen 80;
	217	server_name localhost;
	218	root /home/john/web;
	219
	220	access_log /var/log/nginx/access.log;
	221	error_log /var/log/nginx/error.log;
	222
	223	location /shaarli/ {
b230bf20	224	try_files $uri /shaarli/index.php$is_args$args;
992af0b9 V	225	access_log /var/log/nginx/shaarli.access.log;
	226	error_log /var/log/nginx/shaarli.error.log;
	227	}
	228
	229	location ~ (index)\.php$ {
b230bf20 A	230	try_files $uri =404;
b230bf20 A	231	fastcgi_split_path_info ^(.+\.php)(/.+)$;
992af0b9 V	232	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	233	fastcgi_index index.php;
	234	include fastcgi.conf;
	235	}
	236	}
	237	}
	238	```
	239
	240	### Modular
	241	The previous setup is sufficient for development purposes, but has several major caveats:
43ad7c8e	242
992af0b9 V	243	- every content that does not match the PHP rule will be sent to client browsers:
	244	- dotfiles - in our case, `.htaccess`
	245	- temporary files, e.g. Vim or Emacs files: `index.php~`
	246	- asset / static resource caching is not optimized
	247	- if serving several PHP sites, there will be a lot of duplication: `location /shaarli/`, `location /mysite/`, etc.
	248
	249	To solve this, we will split Nginx configuration in several parts, that will be included when needed:
	250
	251	```nginx
	252	# /etc/nginx/deny.conf
	253	location ~ /\. {
	254	# deny access to dotfiles
	255	access_log off;
	256	log_not_found off;
	257	deny all;
	258	}
	259
	260	location ~ ~$ {
	261	# deny access to temp editor files, e.g. "script.php~"
	262	access_log off;
	263	log_not_found off;
	264	deny all;
	265	}
	266	```
	267
	268	```nginx
	269	# /etc/nginx/php.conf
	270	location ~ (index)\.php$ {
b230bf20 A	271	# Slim - split URL path into (script_filename, path_info)
	272	try_files $uri =404;
	273	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	274
f8b936e7	275	# filter and proxy PHP requests to PHP-FPM
992af0b9 V	276	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
	277	fastcgi_index index.php;
	278	include fastcgi.conf;
	279	}
f8b936e7 V	280
	281	location ~ \.php$ {
	282	# deny access to all other PHP scripts
	283	deny all;
	284	}
992af0b9 V	285	```
	286
	287	```nginx
	288	# /etc/nginx/static_assets.conf
	289	location ~* \.(?:ico\|css\|js\|gif\|jpe?g\|png)$ {
	290	expires max;
	291	add_header Pragma public;
	292	add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	293	}
	294	```
	295
	296	```nginx
	297	# /etc/nginx/nginx.conf
53ed6d7d	298	[...]
992af0b9 V	299
992af0b9 V	300	http {
53ed6d7d	301	[...]
992af0b9 V	302
	303	root /home/john/web;
	304	access_log /var/log/nginx/access.log;
	305	error_log /var/log/nginx/error.log;
	306
	307	server {
	308	# virtual host for a first domain
	309	listen 80;
	310	server_name my.first.domain.org;
	311
	312	location /shaarli/ {
b230bf20 A	313	# Slim - rewrite URLs
	314	try_files $uri /shaarli/index.php$is_args$args;
	315
992af0b9 V	316	access_log /var/log/nginx/shaarli.access.log;
	317	error_log /var/log/nginx/shaarli.error.log;
	318	}
	319
3cc8c898 A	320	location = /shaarli/favicon.ico {
	321	# serve the Shaarli favicon from its custom location
	322	alias /var/www/shaarli/images/favicon.ico;
	323	}
	324
992af0b9 V	325	include deny.conf;
	326	include static_assets.conf;
	327	include php.conf;
	328	}
	329
	330	server {
	331	# virtual host for a second domain
	332	listen 80;
	333	server_name second.domain.com;
	334
	335	location /minigal/ {
	336	access_log /var/log/nginx/minigal.access.log;
	337	error_log /var/log/nginx/minigal.error.log;
	338	}
	339
	340	include deny.conf;
	341	include static_assets.conf;
	342	include php.conf;
	343	}
	344	}
	345	```
	346
	347	### Redirect HTTP to HTTPS
43ad7c8e V	348	Assuming you have generated a (self-signed) key and certificate, and they are
	349	located under `/home/john/ssl/localhost.{key,crt}`, it is pretty straightforward
	350	to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.
992af0b9 V	351
	352	```nginx
	353	# /etc/nginx/nginx.conf
53ed6d7d	354	[...]
992af0b9 V	355
992af0b9 V	356	http {
53ed6d7d	357	[...]
992af0b9 V	358
	359	index index.html index.php;
	360
	361	root /home/john/web;
	362	access_log /var/log/nginx/access.log;
	363	error_log /var/log/nginx/error.log;
	364
	365	server {
	366	listen 80;
	367	server_name localhost;
	368
	369	return 301 https://localhost$request_uri;
	370	}
	371
	372	server {
	373	listen 443 ssl;
	374	server_name localhost;
	375
	376	ssl_certificate /home/john/ssl/localhost.crt;
	377	ssl_certificate_key /home/john/ssl/localhost.key;
	378
	379	location /shaarli/ {
b230bf20 A	380	# Slim - rewrite URLs
	381	try_files $uri /index.php$is_args$args;
	382
992af0b9 V	383	access_log /var/log/nginx/shaarli.access.log;
	384	error_log /var/log/nginx/shaarli.error.log;
	385	}
	386
3cc8c898 A	387	location = /shaarli/favicon.ico {
	388	# serve the Shaarli favicon from its custom location
	389	alias /var/www/shaarli/images/favicon.ico;
	390	}
	391
992af0b9 V	392	include deny.conf;
	393	include static_assets.conf;
	394	include php.conf;
	395	}
	396	}
	397	```
bdfb967c	398
bdfb967c	399	## Proxies
6c44d604	400
bdfb967c	401	If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set:
	402
	403	- `X-Forwarded-Proto`
	404	- `X-Forwarded-Host`
	405	- `X-Forwarded-For`
	406
	407	See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
	408
6c44d604	409	## Robots and crawlers
	410
	411	Shaarli disallows indexing and crawling of your local documentation pages by search engines, using `<meta name="robots">` HTML tags.
	412	Your Shaarli instance and other pages you host may still be indexed by various robots on the public Internet.
	413	You may want to setup a robots.txt file or other crawler control mechanism on your server.
	414	See [[1]](https://en.wikipedia.org/wiki/Robots_exclusion_standard), [[2]](https://support.google.com/webmasters/answer/6062608?hl=en) and [[3]](https://developers.google.com/search/reference/robots_meta_tag)
bdfb967c	415
	416	## See also
	417
	418	* [Server security](Server-security.md)
	419
	420	#### Webservers
	421
	422	- [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow)
	423	- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
	424	- [Server-side TLS (Apache)](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla)
	425	- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
	426	- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
	427	- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
	428	- [Nginx PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing)
	429	- [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla)
	430	- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
	431	- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
	432
	433	#### PHP
	434
	435	- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
	436	- [PHP: Supported versions](http://php.net/supported-versions.php)
	437	- [PHP: Unsupported versions](http://php.net/eol.php) _(EOL - End Of Life)_
	438	- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
	439	- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
	440	- [PHP: Bugs](https://bugs.php.net/)