doc/md/Reverse-proxy.md

   1 # Reverse proxy
   2
   3 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
   4
   5 - The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
   6 - The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
   7 - Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
   8 - No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
   9
  10 In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
  11
  12 See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
  13
  14
  15 ## Apache
  16
  17 ```apache
  18 <VirtualHost *:80>
  19     ServerName shaarli.mydomain.org
  20     # Redirect HTTP to HTTPS
  21     Redirect permanent / https://shaarli.mydomain.org
  22 </VirtualHost>
  23
  24 <VirtualHost *:443>
  25     ServerName shaarli.mydomain.org
  26
  27     SSLEngine on
  28     SSLCertificateFile    /path/to/certificate
  29     SSLCertificateKeyFile /path/to/private/key
  30
  31     LogLevel warn
  32     ErrorLog  /var/log/apache2/error.log
  33     CustomLog /var/log/apache2/access.log combined
  34
  35     # let the proxied shaarli server/container know HTTPS URLs should be served
  36     RequestHeader set X-Forwarded-Proto "https"
  37
  38     # send the original SERVER_NAME to the proxied host
  39     ProxyPreserveHost On
  40
  41     # pass requests to the proxied host
  42     # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
  43     ProxyPass        / http://127.0.0.1:10080/
  44     ProxyPassReverse / http://127.0.0.1:10080/
  45 </VirtualHost>
  46 ```
  47
  48
  49 ## HAProxy
  50
  51
  52 ```conf
  53 global
  54     [...]
  55
  56 defaults
  57     [...]
  58
  59 frontend http-in
  60     bind :80
  61     redirect scheme https code 301 if !{ ssl_fc }
  62     bind :443 ssl crt /path/to/cert.pem
  63     default_backend shaarli
  64
  65 backend shaarli
  66     mode http
  67     option http-server-close
  68     option forwardfor
  69     reqadd X-Forwarded-Proto: https
  70     server shaarli1 127.0.0.1:10080
  71 ```
  72
  73
  74 ## Nginx
  75
  76
  77 ```nginx
  78 http {
  79     [...]
  80
  81     index index.html index.php;
  82
  83     root        /home/john/web;
  84     access_log  /var/log/nginx/access.log combined;
  85     error_log   /var/log/nginx/error.log;
  86
  87     server {
  88         listen       80;
  89         server_name  shaarli.mydomain.org;
  90         # redirect HTTP to HTTPS
  91         return       301 https://shaarli.mydomain.org$request_uri;
  92     }
  93
  94     server {
  95         listen       443 ssl http2;
  96         server_name  shaarli.mydomain.org;
  97
  98         ssl_certificate       /path/to/certificate
  99         ssl_certificate_key   /path/to/private/key
 100
 101         location / {
 102             proxy_set_header  X-Real-IP         $remote_addr;
 103             proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
 104             proxy_set_header  X-Forwarded-Proto $scheme;
 105             proxy_set_header  X-Forwarded-Host  $host;
 106
 107             # pass requests to the proxied host
 108             proxy_pass             http://localhost:10080/;
 109             proxy_set_header Host  $host;
 110             proxy_connect_timeout  30s;
 111             proxy_read_timeout     120s;
 112         }
 113     }
 114 }
 115 ```
 116