]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/Server-configuration.html
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bump version to v0.8.1
[github/shaarli/Shaarli.git] / doc / Server-configuration.html
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta charset="utf-8">
5 <meta name="generator" content="pandoc">
6 <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
7 <title>Shaarli – Server configuration</title>
8 <style type="text/css">code{white-space: pre;}</style>
9 <style type="text/css">
10 div.sourceCode { overflow-x: auto; }
11 table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
12 margin: 0; padding: 0; vertical-align: baseline; border: none; }
13 table.sourceCode { width: 100%; line-height: 100%; }
14 td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
15 td.sourceCode { padding-left: 5px; }
16 code > span.kw { color: #007020; font-weight: bold; } /* Keyword */
17 code > span.dt { color: #902000; } /* DataType */
18 code > span.dv { color: #40a070; } /* DecVal */
19 code > span.bn { color: #40a070; } /* BaseN */
20 code > span.fl { color: #40a070; } /* Float */
21 code > span.ch { color: #4070a0; } /* Char */
22 code > span.st { color: #4070a0; } /* String */
23 code > span.co { color: #60a0b0; font-style: italic; } /* Comment */
24 code > span.ot { color: #007020; } /* Other */
25 code > span.al { color: #ff0000; font-weight: bold; } /* Alert */
26 code > span.fu { color: #06287e; } /* Function */
27 code > span.er { color: #ff0000; font-weight: bold; } /* Error */
28 code > span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
29 code > span.cn { color: #880000; } /* Constant */
30 code > span.sc { color: #4070a0; } /* SpecialChar */
31 code > span.vs { color: #4070a0; } /* VerbatimString */
32 code > span.ss { color: #bb6688; } /* SpecialString */
33 code > span.im { } /* Import */
34 code > span.va { color: #19177c; } /* Variable */
35 code > span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
36 code > span.op { color: #666666; } /* Operator */
37 code > span.bu { } /* BuiltIn */
38 code > span.ex { } /* Extension */
39 code > span.pp { color: #bc7a00; } /* Preprocessor */
40 code > span.at { color: #7d9029; } /* Attribute */
41 code > span.do { color: #ba2121; font-style: italic; } /* Documentation */
42 code > span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
43 code > span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
44 code > span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
45 </style>
46 <link rel="stylesheet" href="github-markdown.css">
47 <!--[if lt IE 9]>
48 <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
49 <![endif]-->
50 </head>
51 <body>
52 <div id="local-sidebar">
53 <ul>
54 <li><a href="Home.html">Home</a></li>
55 <li>Setup
56 <ul>
57 <li><a href="Download-and-Installation.html">Download and Installation</a></li>
58 <li><a href="Upgrade-and-migration.html">Upgrade and migration</a></li>
59 <li><a href="Server-requirements.html">Server requirements</a></li>
60 <li><a href="Server-configuration.html">Server configuration</a></li>
61 <li><a href="Server-security.html">Server security</a></li>
62 <li><a href="Shaarli-configuration.html">Shaarli configuration</a></li>
63 <li><a href="Plugins.html">Plugins</a></li>
64 </ul></li>
65 <li><a href="Docker.html">Docker</a></li>
66 <li><a href="Usage.html">Usage</a>
67 <ul>
68 <li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li>
69 <li><a href="Browsing-and-Searching.html">Browsing and Searching</a></li>
70 <li><a href="Firefox-share.html">Firefox share</a></li>
71 <li><a href="RSS-feeds.html">RSS feeds</a></li>
72 </ul></li>
73 <li>How To
74 <ul>
75 <li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li>
76 <li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li>
77 <li><a href="Create-and-serve-multiple-Shaarlis-(farm).html">Create and serve multiple Shaarlis (farm)</a></li>
78 <li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li>
79 <li><a href="Datastore-hacks.html">Datastore hacks</a></li>
80 </ul></li>
81 <li><a href="Troubleshooting.html">Troubleshooting</a></li>
82 <li><a href="Development.html">Development</a>
83 <ul>
84 <li><a href="GnuPG-signature.html">GnuPG signature</a></li>
85 <li><a href="Coding-guidelines.html">Coding guidelines</a></li>
86 <li><a href="Directory-structure.html">Directory structure</a></li>
87 <li><a href="3rd-party-libraries.html">3rd party libraries</a></li>
88 <li><a href="Plugin-System.html">Plugin System</a></li>
89 <li><a href="Release-Shaarli.html">Release Shaarli</a></li>
90 <li><a href="Security.html">Security</a></li>
91 <li><a href="Static-analysis.html">Static analysis</a></li>
92 <li><a href="Theming.html">Theming</a></li>
93 <li><a href="Unit-tests.html">Unit tests</a></li>
94 </ul></li>
95 <li>About
96 <ul>
97 <li><a href="FAQ.html">FAQ</a></li>
98 <li><a href="Community-&amp;-Related-software.html">Community &amp; Related software</a></li>
99 </ul></li>
100 </ul>
101 </div>
102 <h1 id="server-configuration">Server configuration</h1>
103 <p><em>Example virtual host configurations for popular web servers</em></p>
104 <ul>
105 <li><a href="#apache">Apache</a><a href=".html"></a></li>
106 <li><a href="#nginx">Nginx</a><a href=".html"></a></li>
107 </ul>
108 <h2 id="prerequisites">Prerequisites</h2>
109 <h3 id="shaarli">Shaarli</h3>
110 <ul>
111 <li>Shaarli is installed in a directory readable/writeable by the user</li>
112 <li>the correct read/write permissions have been granted to the web server <em>user and/or group</em></li>
113 <li>for HTTPS / SSL:</li>
114 <li>a key pair (public, private) and a certificate have been generated</li>
115 <li>the appropriate server SSL extension is installed and active</li>
116 </ul>
117 <h3 id="https-tls-and-self-signed-certificates">HTTPS, TLS and self-signed certificates</h3>
118 <p>Related guides:</p>
119 <ul>
120 <li><a href="http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php">How to Create Self-Signed SSL Certificates with OpenSSL</a><a href=".html"></a></li>
121 <li><a href="https://workaround.org/certificate-authority">How do I create my own Certificate Authority?</a><a href=".html"></a></li>
122 <li>Generate a self-signed certificate (will trigger browser warnings) with apache2: <code>make-ssl-cert generate-default-snakeoil --force-overwrite</code> will create <code>/etc/ssl/certs/ssl-cert-snakeoil.pem</code> and <code>/etc/ssl/private/ssl-cert-snakeoil.key</code></li>
123 </ul>
124 <h3 id="proxies">Proxies</h3>
125 <p>If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set:</p>
126 <ul>
127 <li><code>X-Forwarded-Proto</code>;</li>
128 <li><code>X-Forwarded-Host</code>;</li>
129 <li><code>X-Forwarded-For</code>.</li>
130 </ul>
131 <p>See also <a href="https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&amp;q=label%3Aproxy+">proxy-related</a> issues.<a href=".html"></a></p>
132 <h2 id="apache">Apache</h2>
133 <h3 id="minimal">Minimal</h3>
134 <div class="sourceCode"><pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="at"> *:80</span><span class="fu">&gt;</span>
135 ServerName<span class="st"> shaarli.my-domain.org</span>
136 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
137 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre></div>
138 <h3 id="debug---log-all-the-things">Debug - Log all the things!</h3>
139 <p>This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.</p>
140 <p>See:</p>
141 <ul>
142 <li><a href="http://stackoverflow.com/q/176">Apache/PHP - error log per VirtualHost</a> (StackOverflow)<a href=".html"></a></li>
143 <li><a href="https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/">PHP: php_value vs php_admin_value and the use of php_flag explained</a><a href=".html"></a></li>
144 </ul>
145 <div class="sourceCode"><pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="at"> *:80</span><span class="fu">&gt;</span>
146 ServerName<span class="st"> shaarli.my-domain.org</span>
147 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
148
149 <span class="ex">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
150 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
151 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
152
153 php_flag log_errors on
154 php_flag display_errors on
155 php_value error_reporting 2147483647
156 php_value error_log /var/log/apache2/shaarli-php-error.log
157 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre></div>
158 <h3 id="standard---keep-access-and-error-logs">Standard - Keep access and error logs</h3>
159 <div class="sourceCode"><pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="at"> *:80</span><span class="fu">&gt;</span>
160 ServerName<span class="st"> shaarli.my-domain.org</span>
161 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
162
163 <span class="ex">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
164 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
165 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
166 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre></div>
167 <h3 id="paranoid---redirect-http-80-to-https-443">Paranoid - Redirect HTTP (:80) to HTTPS (:443)</h3>
168 <p>See <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">Server-side TLS</a> (Mozilla).<a href=".html"></a></p>
169 <div class="sourceCode"><pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="at"> *:443</span><span class="fu">&gt;</span>
170 ServerName<span class="st"> shaarli.my-domain.org</span>
171 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
172
173 <span class="ex">SSLEngine</span><span class="ch"> </span><span class="kw">on</span>
174 SSLCertificateFile<span class="st"> /absolute/path/to/the/website/certificate.pem</span>
175 SSLCertificateKeyFile<span class="st"> /absolute/path/to/the/website/key.key</span>
176
177 <span class="fu">&lt;Directory</span><span class="at"> /absolute/path/to/shaarli/</span><span class="fu">&gt;</span>
178 <span class="ex">AllowOverride</span><span class="ch"> </span><span class="kw">All</span>
179 <span class="ex">Options</span><span class="ch"> </span><span class="kw">Indexes</span><span class="ch"> </span><span class="kw">FollowSymLinks</span><span class="ch"> </span><span class="kw">MultiViews</span>
180 <span class="ex">Order</span><span class="ch"> </span><span class="kw">allow,deny</span>
181 allow<span class="st"> from all</span>
182 <span class="fu">&lt;/Directory&gt;</span>
183
184 <span class="ex">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
185 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
186 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
187 <span class="fu">&lt;/VirtualHost&gt;</span>
188 <span class="fu">&lt;VirtualHost</span><span class="at"> *:80</span><span class="fu">&gt;</span>
189 ServerName<span class="st"> shaarli.my-domain.org</span>
190 Redirect<span class="st"> 301 / https://shaarli.my-domain.org</span>
191
192 <span class="ex">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
193 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
194 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
195 <span class="fu">&lt;/VirtualHost&gt;</span></code></pre></div>
196 <h3 id="htaccess">.htaccess</h3>
197 <p>Shaarli use <code>.htaccess</code> Apache files to deny access to files that shouldn't be directly accessed (datastore, config, etc.). You need the directive <code>AllowOverride All</code> in your virtual host configuration for them to work.</p>
198 <p><strong>Warning</strong>: If you use Apache 2.2 or lower, you need <a href="https://httpd.apache.org/docs/current/mod/mod_version.html">mod_version</a> to be installed and enabled.<a href=".html"></a></p>
199 <h2 id="lighthttpd">LightHttpd</h2>
200 <h2 id="nginx">Nginx</h2>
201 <h3 id="foreword">Foreword</h3>
202 <p>Nginx does not natively interpret PHP scripts; to this effect, we will run a <a href="https://en.wikipedia.org/wiki/FastCGI">FastCGI</a> service, to which Nginx's FastCGI module will proxy all requests to PHP resources.<a href=".html"></a></p>
203 <p>Required packages:</p>
204 <ul>
205 <li><a href="http://nginx.org">nginx</a><a href=".html"></a></li>
206 <li><a href="http://php-fpm.org">php-fpm</a> - PHP FastCGI Process Manager<a href=".html"></a></li>
207 </ul>
208 <p>Official documentation:</p>
209 <ul>
210 <li><a href="http://nginx.org/en/docs/beginners_guide.html">Beginner's guide</a><a href=".html"></a></li>
211 <li><a href="http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html">ngx_http_fastcgi_module</a><a href=".html"></a></li>
212 <li><a href="http://wiki.nginx.org/Pitfalls">Pitfalls</a><a href=".html"></a></li>
213 </ul>
214 <p>Community resources:</p>
215 <ul>
216 <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx">Server-side TLS (Nginx)</a> (Mozilla)<a href=".html"></a></li>
217 <li><a href="http://kbeezie.com/nginx-configuration-examples/">PHP configuration examples</a> (Karl Blessing)<a href=".html"></a></li>
218 </ul>
219 <h3 id="common-setup">Common setup</h3>
220 <p>Once Nginx and PHP-FPM are installed, we need to ensure:</p>
221 <ul>
222 <li>Nginx and PHP-FPM are running using the <em>same user and group</em></li>
223 <li>both these user and group have
224 <ul>
225 <li><code>read</code> permissions for Shaarli resources</li>
226 <li><code>execute</code> permissions for Shaarli directories <em>AND</em> their parent directories</li>
227 </ul></li>
228 </ul>
229 <p>On a production server:</p>
230 <ul>
231 <li><code>user:group</code> will likely be <code>http:http</code>, <code>www:www</code> or <code>www-data:www-data</code></li>
232 <li>files will be located under <code>/var/www</code>, <code>/var/http</code> or <code>/usr/share/nginx</code></li>
233 </ul>
234 <p>On a development server:</p>
235 <ul>
236 <li>files may be located in a user's home directory</li>
237 <li>in this case, make sure both Nginx and PHP-FPM are running as the local user/group!</li>
238 </ul>
239 <p>For all following configuration examples, this user/group pair will be used:</p>
240 <ul>
241 <li><code>user:group = john:users</code>,</li>
242 </ul>
243 <p>which corresponds to the following service configuration:</p>
244 <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="co">; /etc/php/php-fpm.conf</span>
245 <span class="dt">user </span><span class="ot">=</span><span class="st"> john</span>
246 <span class="dt">group </span><span class="ot">=</span><span class="st"> users</span>
247
248 <span class="kw">[...][]</span><span class="dt">(.html)</span>
249 <span class="dt">listen.owner </span><span class="ot">=</span><span class="st"> john</span>
250 <span class="dt">listen.group </span><span class="ot">=</span><span class="st"> users</span></code></pre></div>
251 <pre class="nginx"><code># /etc/nginx/nginx.conf
252 user john users;
253
254 http {
255 [...][](.html)
256 }</code></pre>
257 <h3 id="optional-increase-the-maximum-file-upload-size">(Optional) Increase the maximum file upload size</h3>
258 <p>Some bookmark dumps generated by web browsers can be <em>huge</em> due to the presence of Base64-encoded images and favicons, as well as extra verbosity when nesting links in (sub-)folders.</p>
259 <p>To increase upload size, you will need to modify both nginx and PHP configuration:</p>
260 <pre class="nginx"><code># /etc/nginx/nginx.conf
261
262 http {
263 [...][](.html)
264
265 client_max_body_size 10m;
266
267 [...][](.html)
268 }</code></pre>
269 <div class="sourceCode"><pre class="sourceCode ini"><code class="sourceCode ini"><span class="co"># /etc/php5/fpm/php.ini</span>
270
271 <span class="kw">[...][]</span><span class="dt">(.html)</span>
272 <span class="dt">post_max_size </span><span class="ot">=</span><span class="st"> 10M</span>
273 <span class="kw">[...][]</span><span class="dt">(.html)</span>
274 <span class="dt">upload_max_filesize </span><span class="ot">=</span><span class="st"> 10M</span></code></pre></div>
275 <h3 id="minimal-1">Minimal</h3>
276 <p><em>WARNING: Use for development only!</em></p>
277 <pre class="nginx"><code>user john users;
278 worker_processes 1;
279 events {
280 worker_connections 1024;
281 }
282
283 http {
284 include mime.types;
285 default_type application/octet-stream;
286 keepalive_timeout 20;
287
288 index index.html index.php;
289
290 server {
291 listen 80;
292 server_name localhost;
293 root /home/john/web;
294
295 access_log /var/log/nginx/access.log;
296 error_log /var/log/nginx/error.log;
297
298 location /shaarli/ {
299 access_log /var/log/nginx/shaarli.access.log;
300 error_log /var/log/nginx/shaarli.error.log;
301 }
302
303 location ~ (index)\.php$ {
304 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
305 fastcgi_index index.php;
306 include fastcgi.conf;
307 }
308 }
309 }</code></pre>
310 <h3 id="modular">Modular</h3>
311 <p>The previous setup is sufficient for development purposes, but has several major caveats:</p>
312 <ul>
313 <li>every content that does not match the PHP rule will be sent to client browsers:
314 <ul>
315 <li>dotfiles - in our case, <code>.htaccess</code></li>
316 <li>temporary files, e.g. Vim or Emacs files: <code>index.php~</code></li>
317 </ul></li>
318 <li>asset / static resource caching is not optimized</li>
319 <li>if serving several PHP sites, there will be a lot of duplication: <code>location /shaarli/</code>, <code>location /mysite/</code>, etc.</li>
320 </ul>
321 <p>To solve this, we will split Nginx configuration in several parts, that will be included when needed:</p>
322 <pre class="nginx"><code># /etc/nginx/deny.conf
323 location ~ /\. {
324 # deny access to dotfiles
325 access_log off;
326 log_not_found off;
327 deny all;
328 }
329
330 location ~ ~$ {
331 # deny access to temp editor files, e.g. &quot;script.php~&quot;
332 access_log off;
333 log_not_found off;
334 deny all;
335 }</code></pre>
336 <pre class="nginx"><code># /etc/nginx/php.conf
337 location ~ (index)\.php$ {
338 # filter and proxy PHP requests to PHP-FPM
339 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
340 fastcgi_index index.php;
341 include fastcgi.conf;
342 }
343
344 location ~ \.php$ {
345 # deny access to all other PHP scripts
346 deny all;
347 }</code></pre>
348 <pre class="nginx"><code># /etc/nginx/static_assets.conf
349 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
350 expires max;
351 add_header Pragma public;
352 add_header Cache-Control &quot;public, must-revalidate, proxy-revalidate&quot;;
353 }</code></pre>
354 <pre class="nginx"><code># /etc/nginx/nginx.conf
355 [...][](.html)
356
357 http {
358 [...][](.html)
359
360 root /home/john/web;
361 access_log /var/log/nginx/access.log;
362 error_log /var/log/nginx/error.log;
363
364 server {
365 # virtual host for a first domain
366 listen 80;
367 server_name my.first.domain.org;
368
369 location /shaarli/ {
370 access_log /var/log/nginx/shaarli.access.log;
371 error_log /var/log/nginx/shaarli.error.log;
372 }
373
374 location = /shaarli/favicon.ico {
375 # serve the Shaarli favicon from its custom location
376 alias /var/www/shaarli/images/favicon.ico;
377 }
378
379 include deny.conf;
380 include static_assets.conf;
381 include php.conf;
382 }
383
384 server {
385 # virtual host for a second domain
386 listen 80;
387 server_name second.domain.com;
388
389 location /minigal/ {
390 access_log /var/log/nginx/minigal.access.log;
391 error_log /var/log/nginx/minigal.error.log;
392 }
393
394 include deny.conf;
395 include static_assets.conf;
396 include php.conf;
397 }
398 }</code></pre>
399 <h3 id="redirect-http-to-https">Redirect HTTP to HTTPS</h3>
400 <p>Assuming you have generated a (self-signed) key and certificate, and they are located under <code>/home/john/ssl/localhost.{key,crt}</code>, it is pretty straightforward to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.</p>
401 <pre class="nginx"><code># /etc/nginx/nginx.conf
402 [...][](.html)
403
404 http {
405 [...][](.html)
406
407 index index.html index.php;
408
409 root /home/john/web;
410 access_log /var/log/nginx/access.log;
411 error_log /var/log/nginx/error.log;
412
413 server {
414 listen 80;
415 server_name localhost;
416
417 return 301 https://localhost$request_uri;
418 }
419
420 server {
421 listen 443 ssl;
422 server_name localhost;
423
424 ssl_certificate /home/john/ssl/localhost.crt;
425 ssl_certificate_key /home/john/ssl/localhost.key;
426
427 location /shaarli/ {
428 access_log /var/log/nginx/shaarli.access.log;
429 error_log /var/log/nginx/shaarli.error.log;
430 }
431
432 location = /shaarli/favicon.ico {
433 # serve the Shaarli favicon from its custom location
434 alias /var/www/shaarli/images/favicon.ico;
435 }
436
437 include deny.conf;
438 include static_assets.conf;
439 include php.conf;
440 }
441 }</code></pre>
442 </body>
443 </html>
The personal, minimalist, super-fast, database free, bookmarking service - community repo