]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc: nginx: add let's encrypt ssl configuration
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3
4
5 ## Requirements
6
7 ### Operating system and web server
8
9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
10
11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
12
13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
14
15 ### Network and domain name
16
17 Try to host the server in a region that is geographically close to your users.
18
19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
20
21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
22
23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
24
25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
26
27
28 ### PHP
29
30 Supported PHP versions:
31
32 Version | Status | Shaarli compatibility
33 :---:|:---:|:---:
34 7.3 | Supported | Yes
35 7.2 | Supported | Yes
36 7.1 | Supported | Yes
37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
39 5.5 | EOL: 2016-07-10 | Yes
40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
42
43 Required PHP extensions:
44
45 Extension | Required? | Usage
46 ---|:---:|---
47 [`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
49 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
50 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
51 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
52 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
53 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
54
55 Some [plugins](Plugins.md) may require additional configuration.
56
57
58 ## SSL/TLS (HTTPS)
59
60 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
61
62 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
63
64 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
65 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
66 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
67
68 In short:
69
70 ```bash
71 # install certbot
72 sudo apt install certbot
73
74 # stop your webserver if you already have one running
75 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
76 sudo systemctl stop apache2
77 sudo systemctl stop nginx
78
79 # generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
80 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
81 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
82
83 # restart the web server
84 sudo systemctl start apache2
85 sudo systemctl start nginx
86 ```
87
88 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
89
90 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
91 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
92
93 --------------------------------------------------------------------------------
94
95 ## Examples
96
97 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
98
99 In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
100
101 ```bash
102 sudo mkdir -p /var/www/shaarli.mydomain.org/
103 ```
104
105 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
106
107
108 ### Apache
109
110 ```bash
111 # Install apache + mod_php and PHP modules
112 sudo apt update
113 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
114
115 # Edit the virtualhost configuration file with your favorite editor
116 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
117 ```
118
119 ```apache
120 <VirtualHost *:80>
121 ServerName shaarli.mydomain.org
122 DocumentRoot /var/www/shaarli.mydomain.org/
123
124 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
125 LogLevel warn
126 # Log file locations
127 ErrorLog /var/log/apache2/error.log
128 CustomLog /var/log/apache2/access.log combined
129
130 # Redirect HTTP requests to HTTPS
131 RewriteEngine on
132 RewriteRule ^.well-known/acme-challenge/ - [L]
133 # except for Let's Encrypt ACME challenge requests
134 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
135 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
136 </VirtualHost>
137
138 <VirtualHost *:443>
139 ServerName shaarli.mydomain.org
140 DocumentRoot /var/www/shaarli.mydomain.org/
141
142 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
143 LogLevel warn
144 # Log file locations
145 ErrorLog /var/log/apache2/error.log
146 CustomLog /var/log/apache2/access.log combined
147
148 # SSL/TLS configuration (for Let's Encrypt certificates)
149 SSLEngine on
150 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
151 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
152
153 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
154 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
155 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
156 SSLHonorCipherOrder off
157 SSLSessionTickets off
158 SSLOptions +StrictRequire
159
160 # SSL/TLS configuration (for self-signed certificates)
161 #SSLEngine on
162 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
163 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
164
165 # Optional, log PHP errors, useful for debugging
166 #php_flag log_errors on
167 #php_flag display_errors on
168 #php_value error_reporting 2147483647
169 #php_value error_log /var/log/apache2/shaarli-php-error.log
170
171 <Directory /var/www/shaarli.mydomain.org/>
172 # Required for .htaccess support
173 AllowOverride All
174 Order allow,deny
175 Allow from all
176 </Directory>
177
178 <LocationMatch "/\.">
179 # Prevent accessing dotfiles
180 RedirectMatch 404 ".*"
181 </LocationMatch>
182
183 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
184 # allow client-side caching of static files
185 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
186 </LocationMatch>
187
188 # serve the Shaarli favicon from its custom location
189 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
190
191 </VirtualHost>
192 ```
193
194 ```bash
195 # Enable the virtualhost
196 sudo a2ensite shaarli
197
198 # mod_ssl must be enabled to use TLS/SSL certificates
199 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
200 sudo a2enmod ssl
201
202 # mod_rewrite must be enabled to use the REST API
203 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
204 sudo a2enmod rewrite
205
206 # mod_version must only be enabled if you use Apache 2.2 or lower
207 # https://httpd.apache.org/docs/current/mod/mod_version.html
208 # sudo a2enmod version
209
210 # restart the apache service
211 systemctl restart apache
212 ```
213
214 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
215
216 ### Nginx
217
218 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
219
220
221 ```bash
222 # install nginx and php-fpm
223 sudo apt update
224 sudo apt install nginx php-fpm
225
226 # Edit the virtualhost configuration file with your favorite editor
227 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
228 ```
229
230 ```nginx
231 server {
232 listen 80;
233 server_name shaarli.mydomain.org;
234
235 # redirect all plain HTTP requests to HTTPS
236 return 301 https://shaarli.mydomain.org$request_uri;
237 }
238
239 server {
240 listen 443 ssl;
241 server_name shaarli.mydomain.org;
242 root /var/www/shaarli.mydomain.org;
243
244 # log file locations
245 # combined log format prepends the virtualhost/domain name to log entries
246 access_log /var/log/nginx/access.log combined;
247 error_log /var/log/nginx/error.log;
248
249 # paths to private key and certificates for SSL/TLS
250 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
251 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
252
253 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
254 ssl_session_cache shared:le_nginx_SSL:10m;
255 ssl_session_timeout 1440m;
256 ssl_session_tickets off;
257 ssl_protocols TLSv1.2 TLSv1.3;
258 ssl_prefer_server_ciphers off;
259 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
260
261 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
262 client_max_body_size 100m;
263
264 # relative path to shaarli from the root of the webserver
265 location / {
266 # default index file when no file URI is requested
267 index index.php;
268 try_files $uri /index.php$is_args$args;
269 }
270
271 location ~ (index)\.php$ {
272 try_files $uri =404;
273 # slim API - split URL path into (script_filename, path_info)
274 fastcgi_split_path_info ^(.+\.php)(/.+)$;
275 # pass PHP requests to PHP-FPM
276 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
277 fastcgi_index index.php;
278 include fastcgi.conf;
279 }
280
281 location ~ \.php$ {
282 # deny access to all other PHP scripts
283 # disable this if you host other PHP applications on the same virtualhost
284 deny all;
285 }
286
287 location ~ /\. {
288 # deny access to dotfiles
289 deny all;
290 }
291
292 location ~ ~$ {
293 # deny access to temp editor files, e.g. "script.php~"
294 deny all;
295 }
296
297 location = /favicon.ico {
298 # serve the Shaarli favicon from its custom location
299 alias /var/www/shaarli/images/favicon.ico;
300 }
301
302 # allow client-side caching of static files
303 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
304 expires max;
305 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
306 # HTTP 1.0 compatibility
307 add_header Pragma public;
308 }
309
310 }
311 ```
312
313 ```bash
314 # enable the configuration/virtualhost
315 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
316 # reload nginx configuration
317 sudo systemctl reload nginx
318 ```
319
320 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
321
322
323 ## Reverse proxies
324
325 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
326
327
328
329 ## Allow import of large browser bookmarks export
330
331 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
332
333 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
334 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
335
336 ```ini
337 [...]
338 # (optional) increase the maximum file upload size:
339 post_max_size = 100M
340 [...]
341 # (optional) increase the maximum file upload size:
342 upload_max_filesize = 100M
343 ```
344
345 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
346
347 ```bash
348 # example
349 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
350 #give read-only access to this file to the webserver user
351 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
352 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
353 ```
354
355 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
356
357 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
358
359
360 ## Robots and crawlers
361
362 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
363
364 ```
365 User-agent: *
366 Disallow: /
367 ```
368
369 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
370
371 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
372 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
373 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
374 - [About robots.txt](http://www.robotstxt.org)
375 - [About the robots META tag](https://www.robotstxt.org/meta.html)
376
377
378 ## Fail2ban
379
380 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
381
382 ```ini
383 # /etc/fail2ban/filter.d/shaarli-auth.conf
384 [INCLUDES]
385 before = common.conf
386 [Definition]
387 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
388 ignoreregex =
389 ```
390
391 ```ini
392 # /etc/fail2ban/jail.local
393 [shaarli-auth]
394 enabled = true
395 port = https,http
396 filter = shaarli-auth
397 logpath = /var/www/shaarli.mydomain.org/data/log.txt
398 # allow 3 login attempts per IP address
399 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
400 maxretry = 3
401 # permanently ban the IP address after reaching the limit
402 bantime = -1
403 ```
404
405 #### References
406
407 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
408 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
409 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
410 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
411 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
412 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
413 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
414 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
415 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
416 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
417 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
418 - [Nginx documentation](https://nginx.org/en/docs/)
419 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
420 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
421 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
422 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
423 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
424 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
425 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
426 - [PHP: Supported versions](http://php.net/supported-versions.php)
427 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
428 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
429 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
430 - [PHP: Bugs](https://bugs.php.net/)
431 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
432 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
433
434
The personal, minimalist, super-fast, database free, bookmarking service - community repo