]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc: server configuration: formatting/add comment
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3
4
5 ## Requirements
6
7 ### Operating system and web server
8
9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
10
11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
12
13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
14
15 ### Network and domain name
16
17 Try to host the server in a region that is geographically close to your users.
18
19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
20
21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
22
23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
24
25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
26
27
28 ### PHP
29
30 Supported PHP versions:
31
32 Version | Status | Shaarli compatibility
33 :---:|:---:|:---:
34 7.3 | Supported | Yes
35 7.2 | Supported | Yes
36 7.1 | Supported | Yes
37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
39 5.5 | EOL: 2016-07-10 | Yes
40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
42
43 Required PHP extensions:
44
45 Extension | Required? | Usage
46 ---|:---:|---
47 [`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
49 [`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
50 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
51 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
52 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
53 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
54 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
55
56 Some [plugins](Plugins.md) may require additional configuration.
57
58
59 ## SSL/TLS (HTTPS)
60
61 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
62
63 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
64
65 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
66 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
67 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
68
69 In short:
70
71 ```bash
72 # install certbot
73 sudo apt install certbot
74
75 # stop your webserver if you already have one running
76 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
77 sudo systemctl stop apache2
78 sudo systemctl stop nginx
79
80 # generate initial certificates
81 # Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
82 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
83 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
84
85 # restart the web server
86 sudo systemctl start apache2
87 sudo systemctl start nginx
88 ```
89
90 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
91
92 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
93 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
94
95 --------------------------------------------------------------------------------
96
97 ## Examples
98
99 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
100
101 ```bash
102 # create the document root
103 sudo mkdir -p /var/www/shaarli.mydomain.org/
104 ```
105
106 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
107
108
109 ### Apache
110
111 ```bash
112 # Install apache + mod_php and PHP modules
113 sudo apt update
114 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
115
116 # Edit the virtualhost configuration file with your favorite editor
117 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
118 ```
119
120 ```apache
121 <VirtualHost *:80>
122 ServerName shaarli.mydomain.org
123 DocumentRoot /var/www/shaarli.mydomain.org/
124
125 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
126 LogLevel warn
127 # Log file locations
128 ErrorLog /var/log/apache2/error.log
129 CustomLog /var/log/apache2/access.log combined
130
131 # Redirect HTTP requests to HTTPS
132 RewriteEngine on
133 RewriteRule ^.well-known/acme-challenge/ - [L]
134 # except for Let's Encrypt ACME challenge requests
135 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
136 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
137 </VirtualHost>
138
139 <VirtualHost *:443>
140 ServerName shaarli.mydomain.org
141 DocumentRoot /var/www/shaarli.mydomain.org/
142
143 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
144 LogLevel warn
145 # Log file locations
146 ErrorLog /var/log/apache2/error.log
147 CustomLog /var/log/apache2/access.log combined
148
149 # SSL/TLS configuration (for Let's Encrypt certificates)
150 SSLEngine on
151 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
152 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
153
154 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
155 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
156 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
157 SSLHonorCipherOrder off
158 SSLSessionTickets off
159 SSLOptions +StrictRequire
160
161 # SSL/TLS configuration (for self-signed certificates)
162 #SSLEngine on
163 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
164 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
165
166 # Optional, log PHP errors, useful for debugging
167 #php_flag log_errors on
168 #php_flag display_errors on
169 #php_value error_reporting 2147483647
170 #php_value error_log /var/log/apache2/shaarli-php-error.log
171
172 <Directory /var/www/shaarli.mydomain.org/>
173 # Required for .htaccess support
174 AllowOverride All
175 Order allow,deny
176 Allow from all
177 </Directory>
178
179 <LocationMatch "/\.">
180 # Prevent accessing dotfiles
181 RedirectMatch 404 ".*"
182 </LocationMatch>
183
184 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
185 # allow client-side caching of static files
186 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
187 </LocationMatch>
188
189 # serve the Shaarli favicon from its custom location
190 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
191
192 </VirtualHost>
193 ```
194
195 ```bash
196 # Enable the virtualhost
197 sudo a2ensite shaarli
198
199 # mod_ssl must be enabled to use TLS/SSL certificates
200 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
201 sudo a2enmod ssl
202
203 # mod_rewrite must be enabled to use the REST API
204 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
205 sudo a2enmod rewrite
206
207 # mod_version must only be enabled if you use Apache 2.2 or lower
208 # https://httpd.apache.org/docs/current/mod/mod_version.html
209 # sudo a2enmod version
210
211 # restart the apache service
212 systemctl restart apache
213 ```
214
215 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
216
217 ### Nginx
218
219 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
220
221
222 ```bash
223 # install nginx and php-fpm
224 sudo apt update
225 sudo apt install nginx php-fpm
226
227 # Edit the virtualhost configuration file with your favorite editor
228 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
229 ```
230
231 ```nginx
232 server {
233 listen 80;
234 server_name shaarli.mydomain.org;
235
236 # redirect all plain HTTP requests to HTTPS
237 return 301 https://shaarli.mydomain.org$request_uri;
238 }
239
240 server {
241 listen 443 ssl;
242 server_name shaarli.mydomain.org;
243 root /var/www/shaarli.mydomain.org;
244
245 # log file locations
246 # combined log format prepends the virtualhost/domain name to log entries
247 access_log /var/log/nginx/access.log combined;
248 error_log /var/log/nginx/error.log;
249
250 # paths to private key and certificates for SSL/TLS
251 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
252 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
253
254 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
255 ssl_session_cache shared:le_nginx_SSL:10m;
256 ssl_session_timeout 1440m;
257 ssl_session_tickets off;
258 ssl_protocols TLSv1.2 TLSv1.3;
259 ssl_prefer_server_ciphers off;
260 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
261
262 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
263 client_max_body_size 100m;
264
265 # relative path to shaarli from the root of the webserver
266 location / {
267 # default index file when no file URI is requested
268 index index.php;
269 try_files $uri /index.php$is_args$args;
270 }
271
272 location ~ (index)\.php$ {
273 try_files $uri =404;
274 # slim API - split URL path into (script_filename, path_info)
275 fastcgi_split_path_info ^(.+\.php)(/.+)$;
276 # pass PHP requests to PHP-FPM
277 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
278 fastcgi_index index.php;
279 include fastcgi.conf;
280 }
281
282 location ~ \.php$ {
283 # deny access to all other PHP scripts
284 # disable this if you host other PHP applications on the same virtualhost
285 deny all;
286 }
287
288 location ~ /\. {
289 # deny access to dotfiles
290 deny all;
291 }
292
293 location ~ ~$ {
294 # deny access to temp editor files, e.g. "script.php~"
295 deny all;
296 }
297
298 location = /favicon.ico {
299 # serve the Shaarli favicon from its custom location
300 alias /var/www/shaarli/images/favicon.ico;
301 }
302
303 # allow client-side caching of static files
304 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
305 expires max;
306 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
307 # HTTP 1.0 compatibility
308 add_header Pragma public;
309 }
310
311 }
312 ```
313
314 ```bash
315 # enable the configuration/virtualhost
316 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
317 # reload nginx configuration
318 sudo systemctl reload nginx
319 ```
320
321 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
322
323
324 ## Reverse proxies
325
326 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
327
328
329
330 ## Allow import of large browser bookmarks export
331
332 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
333
334 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
335 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
336
337 ```ini
338 [...]
339 # (optional) increase the maximum file upload size:
340 post_max_size = 100M
341 [...]
342 # (optional) increase the maximum file upload size:
343 upload_max_filesize = 100M
344 ```
345
346 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
347
348 ```bash
349 # example
350 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
351 #give read-only access to this file to the webserver user
352 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
353 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
354 ```
355
356 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
357
358 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
359
360
361 ## Robots and crawlers
362
363 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
364
365 ```
366 User-agent: *
367 Disallow: /
368 ```
369
370 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
371
372 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
373 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
374 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
375 - [About robots.txt](http://www.robotstxt.org)
376 - [About the robots META tag](https://www.robotstxt.org/meta.html)
377
378
379 ## Fail2ban
380
381 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
382
383 ```ini
384 # /etc/fail2ban/filter.d/shaarli-auth.conf
385 [INCLUDES]
386 before = common.conf
387 [Definition]
388 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
389 ignoreregex =
390 ```
391
392 ```ini
393 # /etc/fail2ban/jail.local
394 [shaarli-auth]
395 enabled = true
396 port = https,http
397 filter = shaarli-auth
398 logpath = /var/www/shaarli.mydomain.org/data/log.txt
399 # allow 3 login attempts per IP address
400 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
401 maxretry = 3
402 # permanently ban the IP address after reaching the limit
403 bantime = -1
404 ```
405
406 #### References
407
408 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
409 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
410 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
411 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
412 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
413 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
414 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
415 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
416 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
417 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
418 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
419 - [Nginx documentation](https://nginx.org/en/docs/)
420 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
421 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
422 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
423 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
424 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
425 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
426 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
427 - [PHP: Supported versions](http://php.net/supported-versions.php)
428 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
429 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
430 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
431 - [PHP: Bugs](https://bugs.php.net/)
432 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
433 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
434
435
The personal, minimalist, super-fast, database free, bookmarking service - community repo