doc/md/Reverse-proxy.md

   1 # Reverse proxy
   2
   3 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
   4
   5 - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
   6 - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
   7 - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
   8 - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
   9
  10 In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
  11
  12 See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
  13
  14
  15 ## Apache
  16
  17 ```apache
  18 <VirtualHost *:80>
  19     ServerName shaarli.mydomain.org
  20     DocumentRoot /var/www/shaarli.mydomain.org/
  21
  22     # For SSL/TLS certificates acquired with certbot or self-signed certificates
  23     # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
  24     RewriteEngine on
  25     RewriteRule ^.well-known/acme-challenge/ - [L]
  26     RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
  27     RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
  28 </VirtualHost>
  29
  30 # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
  31 #MDomain shaarli.mydomain.org
  32 #MDCertificateAgreement accepted
  33 #MDContactEmail admin@shaarli.mydomain.org
  34 #MDPrivateKeys RSA 4096
  35
  36 <VirtualHost *:443>
  37     ServerName shaarli.mydomain.org
  38
  39     # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
  40     SSLEngine             on
  41     SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
  42     SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
  43     # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
  44     SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  45     SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  46     SSLHonorCipherOrder     off
  47     SSLSessionTickets       off
  48     SSLOptions +StrictRequire
  49
  50     # SSL/TLS configuration for self-signed certificates
  51     #SSLEngine             on
  52     #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
  53     #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  54
  55     # let the proxied shaarli server/container know HTTPS URLs should be served
  56     RequestHeader set X-Forwarded-Proto "https"
  57
  58     # send the original SERVER_NAME to the proxied host
  59     ProxyPreserveHost On
  60
  61     # pass requests to the proxied host
  62     # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
  63     ProxyPass        / http://127.0.0.1:10080/
  64     ProxyPassReverse / http://127.0.0.1:10080/
  65 </VirtualHost>
  66 ```
  67
  68
  69 ## HAProxy
  70
  71
  72 ```conf
  73 global
  74     [...]
  75
  76 defaults
  77     [...]
  78
  79 frontend http-in
  80     bind :80
  81     redirect scheme https code 301 if !{ ssl_fc }
  82     bind :443 ssl crt /path/to/cert.pem
  83     default_backend shaarli
  84
  85 backend shaarli
  86     mode http
  87     option http-server-close
  88     option forwardfor
  89     reqadd X-Forwarded-Proto: https
  90     server shaarli1 127.0.0.1:10080
  91 ```
  92
  93 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
  94
  95 ## Nginx
  96
  97
  98 ```nginx
  99 http {
 100     [...]
 101
 102     index index.html index.php;
 103
 104     root        /home/john/web;
 105     access_log  /var/log/nginx/access.log combined;
 106     error_log   /var/log/nginx/error.log;
 107
 108     server {
 109         listen       80;
 110         server_name  shaarli.mydomain.org;
 111         # redirect HTTP to HTTPS
 112         return       301 https://shaarli.mydomain.org$request_uri;
 113     }
 114
 115     server {
 116         listen       443 ssl http2;
 117         server_name  shaarli.mydomain.org;
 118
 119         ssl_certificate       /path/to/certificate
 120         ssl_certificate_key   /path/to/private/key
 121
 122         location / {
 123             proxy_set_header  X-Real-IP         $remote_addr;
 124             proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
 125             proxy_set_header  X-Forwarded-Proto $scheme;
 126             proxy_set_header  X-Forwarded-Host  $host;
 127
 128             # pass requests to the proxied host
 129             proxy_pass             http://localhost:10080/;
 130             proxy_set_header Host  $host;
 131             proxy_connect_timeout  30s;
 132             proxy_read_timeout     120s;
 133         }
 134     }
 135 }
 136 ```
 137
 138 ## References
 139
 140 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
 141 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
 142 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)