doc/md/Server-configuration.md

   1 # Server configuration
   2
   3
   4
   5 ## Requirements
   6
   7 ### Operating system and web server
   8
   9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
  10
  11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
  12
  13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
  14
  15 ### Network and domain name
  16
  17 Try to host the server in a region that is geographically close to your users.
  18
  19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
  20
  21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
  22
  23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
  24
  25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
  26
  27
  28 ### PHP
  29
  30 Supported PHP versions:
  31
  32 Version | Status | Shaarli compatibility
  33 :---:|:---:|:---:
  34 7.3 | Supported | Yes
  35 7.2 | Supported | Yes
  36 7.1 | Supported | Yes
  37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
  38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
  39 5.5 | EOL: 2016-07-10 | Yes
  40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
  41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
  42
  43 Required PHP extensions:
  44
  45 Extension | Required? | Usage
  46 ---|:---:|---
  47 [`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
  48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
  49 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
  50 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
  51 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->è->f`)
  52 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
  53 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
  54
  55 Some [plugins](Plugins.md) may require additional configuration.
  56
  57
  58 ## SSL/TLS (HTTPS)
  59
  60 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
  61
  62 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
  63
  64  - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
  65  - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
  66  - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
  67
  68 In short:
  69
  70 ```bash
  71 # install certbot
  72 sudo apt install certbot
  73
  74 # stop your webserver if you already have one running
  75 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
  76 sudo systemctl stop apache2
  77 sudo systemctl stop nginx
  78
  79 # generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
  80 # (DNS records must be correctly pointing to  it, firewall/NAT on port 80/443 must be open)
  81 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
  82 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
  83
  84 # restart the web server
  85 sudo systemctl start apache2
  86 sudo systemctl start nginx
  87 ```
  88
  89 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
  90
  91 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
  92 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
  93
  94 --------------------------------------------------------------------------------
  95
  96 ## Examples
  97
  98 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
  99
 100 In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
 101
 102 ```bash
 103 sudo mkdir -p /var/www/shaarli.mydomain.org/
 104 ```
 105
 106 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
 107
 108
 109 ### Apache
 110
 111 ```bash
 112 # Install apache + mod_php and PHP modules
 113 sudo apt update
 114 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
 115
 116 # Edit the virtualhost configuration file with your favorite editor
 117 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
 118 ```
 119
 120 ```apache
 121 <VirtualHost *:80>
 122     ServerName shaarli.mydomain.org
 123     DocumentRoot /var/www/shaarli.mydomain.org/
 124
 125     # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
 126     LogLevel  warn
 127     # Log file locations
 128     ErrorLog /var/log/apache2/error.log
 129     CustomLog /var/log/apache2/access.log combined
 130
 131     # Redirect HTTP requests to HTTPS
 132     RewriteEngine on
 133     RewriteRule ^.well-known/acme-challenge/ - [L]
 134     # except for Let's Encrypt ACME challenge requests
 135     RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
 136     RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
 137 </VirtualHost>
 138
 139 <VirtualHost *:443>
 140     ServerName   shaarli.mydomain.org
 141     DocumentRoot /var/www/shaarli.mydomain.org/
 142
 143     # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
 144     LogLevel  warn
 145     # Log file locations
 146     ErrorLog  /var/log/apache2/error.log
 147     CustomLog /var/log/apache2/access.log combined
 148
 149     # SSL/TLS configuration (for Let's Encrypt certificates)
 150     SSLEngine             on
 151     SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
 152     SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
 153     Include /etc/letsencrypt/options-ssl-apache.conf
 154
 155     # SSL/TLS configuration (for self-signed certificates)
 156     #SSLEngine             on
 157     #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 158     #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 159
 160     # Optional, log PHP errors, useful for debugging
 161     #php_flag  log_errors on
 162     #php_flag  display_errors on
 163     #php_value error_reporting 2147483647
 164     #php_value error_log /var/log/apache2/shaarli-php-error.log
 165
 166     <Directory /var/www/shaarli.mydomain.org/>
 167         # Required for .htaccess support
 168         AllowOverride All
 169         Order allow,deny
 170         Allow from all
 171     </Directory>
 172
 173     <LocationMatch "/\.">
 174         # Prevent accessing dotfiles
 175         RedirectMatch 404 ".*"
 176     </LocationMatch>
 177
 178     <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
 179         # allow client-side caching of static files
 180         Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
 181     </LocationMatch>
 182
 183     # serve the Shaarli favicon from its custom location
 184     Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
 185
 186 </VirtualHost>
 187 ```
 188
 189 ```bash
 190 # Enable the virtualhost
 191 sudo a2ensite shaarli
 192
 193 # mod_ssl must be enabled to use TLS/SSL certificates
 194 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
 195 sudo a2enmod ssl
 196
 197 # mod_rewrite must be enabled to use the REST API
 198 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
 199 sudo a2enmod rewrite
 200
 201 # mod_version must only be enabled if you use Apache 2.2 or lower
 202 # https://httpd.apache.org/docs/current/mod/mod_version.html
 203 # sudo a2enmod version
 204
 205 # restart the apache service
 206 systemctl restart apache
 207 ```
 208
 209 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
 210
 211 ### Nginx
 212
 213 Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
 214
 215 You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution.
 216
 217
 218 ```bash
 219 # install nginx and php-fpm
 220 sudo apt update
 221 sudo apt install nginx php-fpm
 222
 223 # Edit the virtualhost configuration file with your favorite editor
 224 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
 225 ```
 226
 227 ```nginx
 228 server {
 229     listen       80;
 230     server_name  shaarli.mydomain.org;
 231
 232     # redirect all plain HTTP requests to HTTPS
 233     return 301 https://shaarli.mydomain.org$request_uri;
 234 }
 235
 236 server {
 237     listen       443 ssl;
 238     server_name  shaarli.mydomain.org;
 239     root         /var/www/shaarli.mydomain.org;
 240
 241     # log file locations
 242     # combined log format prepends the virtualhost/domain name to log entries
 243     access_log  /var/log/nginx/access.log combined;
 244     error_log   /var/log/nginx/error.log;
 245
 246     # paths to private key and certificates for SSL/TLS
 247     ssl_certificate      /etc/ssl/shaarli.mydomain.org.crt;
 248     ssl_certificate_key  /etc/ssl/private/shaarli.mydomain.org.key;
 249
 250     # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
 251     client_max_body_size 100m;
 252
 253     # relative path to shaarli from the root of the webserver
 254     location / {
 255         # default index file when no file URI is requested
 256         index index.php;
 257         try_files $uri /index.php$is_args$args;
 258     }
 259
 260     location ~ (index)\.php$ {
 261         try_files $uri =404;
 262         # slim API - split URL path into (script_filename, path_info)
 263         fastcgi_split_path_info ^(.+\.php)(/.+)$;
 264         # pass PHP requests to PHP-FPM
 265         fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
 266         fastcgi_index  index.php;
 267         include        fastcgi.conf;
 268     }
 269
 270     location ~ \.php$ {
 271         # deny access to all other PHP scripts
 272         # disable this if you host other PHP applications on the same virtualhost
 273         deny all;
 274     }
 275
 276     location ~ /\. {
 277         # deny access to dotfiles
 278         deny all;
 279     }
 280
 281     location ~ ~$ {
 282         # deny access to temp editor files, e.g. "script.php~"
 283         deny all;
 284     }
 285
 286     location = /favicon.ico {
 287         # serve the Shaarli favicon from its custom location
 288         alias /var/www/shaarli/images/favicon.ico;
 289     }
 290
 291     # allow client-side caching of static files
 292     location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
 293         expires    max;
 294         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
 295         # HTTP 1.0 compatibility
 296         add_header Pragma public;
 297     }
 298
 299 }
 300 ```
 301
 302 ```bash
 303 # enable the configuration/virtualhost
 304 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
 305 # reload nginx configuration
 306 sudo systemctl reload nginx
 307 ```
 308
 309
 310 ## Reverse proxies
 311
 312 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
 313
 314
 315
 316 ## Allow import of large browser bookmarks export
 317
 318 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
 319
 320 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
 321 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
 322
 323 ```ini
 324 [...]
 325 # (optional) increase the maximum file upload size:
 326 post_max_size = 100M
 327 [...]
 328 # (optional) increase the maximum file upload size:
 329 upload_max_filesize = 100M
 330 ```
 331
 332 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
 333
 334 ```bash
 335 # example
 336 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
 337 #give read-only access to this file to the webserver user
 338 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
 339 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
 340 ```
 341
 342 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
 343
 344 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
 345
 346
 347 ## Robots and crawlers
 348
 349 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
 350
 351 ```
 352 User-agent: *
 353 Disallow: /
 354 ```
 355
 356 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
 357
 358 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
 359 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
 360 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
 361 - [About robots.txt](http://www.robotstxt.org)
 362 - [About the robots META tag](https://www.robotstxt.org/meta.html)
 363
 364
 365 ## Fail2ban
 366
 367 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
 368
 369 ```ini
 370 # /etc/fail2ban/filter.d/shaarli-auth.conf
 371 [INCLUDES]
 372 before = common.conf
 373 [Definition]
 374 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
 375 ignoreregex =
 376 ```
 377
 378 ```ini
 379 # /etc/fail2ban/jail.local
 380 [shaarli-auth]
 381 enabled  = true
 382 port     = https,http
 383 filter   = shaarli-auth
 384 logpath  = /var/www/shaarli.mydomain.org/data/log.txt
 385 # allow 3 login attempts per IP address
 386 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
 387 maxretry = 3
 388 # permanently ban the IP address after reaching the limit
 389 bantime = -1
 390 ```
 391
 392 #### References
 393
 394 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
 395 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
 396 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
 397 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
 398 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
 399 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
 400 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
 401 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
 402 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
 403 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
 404 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
 405 - [Nginx documentation](https://nginx.org/en/docs/)
 406 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
 407 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
 408 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
 409 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
 410 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
 411 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
 412 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
 413 - [PHP: Supported versions](http://php.net/supported-versions.php)
 414 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
 415 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
 416 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
 417 - [PHP: Bugs](https://bugs.php.net/)
 418 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
 419 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
 420
 421