7 ### Operating system and web server
9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
15 ### Network and domain name
17 Try to host the server in a region that is geographically close to your users.
19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
30 Supported PHP versions:
32 Version | Status | Shaarli compatibility
37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
39 5.5 | EOL: 2016-07-10 | Yes
40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
43 Required PHP extensions:
45 Extension | Required? | Usage
47 [`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
49 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
50 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
51 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
52 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
53 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
55 Some [plugins](Plugins.md) may require additional configuration.
60 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
62 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
64 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
65 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
66 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
72 sudo apt install certbot
74 # stop your webserver if you already have one running
75 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
76 sudo systemctl stop apache2
77 sudo systemctl stop nginx
79 # generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
80 # (DNS records must be correctly pointing to it, firewall/NAT on port 80/443 must be open)
81 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
82 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
84 # restart the web server
85 sudo systemctl start apache2
86 sudo systemctl start nginx
89 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
91 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
92 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
94 --------------------------------------------------------------------------------
98 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
100 In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
103 sudo mkdir -p /var/www/shaarli.mydomain.org/
106 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
112 # Install apache + mod_php and PHP modules
114 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
116 # Edit the virtualhost configuration file with your favorite editor
117 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
122 ServerName shaarli.mydomain.org
123 DocumentRoot /var/www/shaarli.mydomain.org/
125 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
128 ErrorLog /var/log/apache2/error.log
129 CustomLog /var/log/apache2/access.log combined
131 # Redirect HTTP requests to HTTPS
133 RewriteRule ^.well-known/acme-challenge/ - [L]
134 # except for Let's Encrypt ACME challenge requests
135 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
136 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
140 ServerName shaarli.mydomain.org
141 DocumentRoot /var/www/shaarli.mydomain.org/
143 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
146 ErrorLog /var/log/apache2/error.log
147 CustomLog /var/log/apache2/access.log combined
149 # SSL/TLS configuration (for Let's Encrypt certificates)
151 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
152 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
153 Include /etc/letsencrypt/options-ssl-apache.conf
155 # SSL/TLS configuration (for self-signed certificates)
157 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
158 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
160 # Optional, log PHP errors, useful for debugging
161 #php_flag log_errors on
162 #php_flag display_errors on
163 #php_value error_reporting 2147483647
164 #php_value error_log /var/log/apache2/shaarli-php-error.log
166 <Directory /var/www/shaarli.mydomain.org/>
167 # Required for .htaccess support
173 <LocationMatch "/\.">
174 # Prevent accessing dotfiles
175 RedirectMatch 404 ".*"
178 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
179 # allow client-side caching of static files
180 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
183 # serve the Shaarli favicon from its custom location
184 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
190 # Enable the virtualhost
191 sudo a2ensite shaarli
193 # mod_ssl must be enabled to use TLS/SSL certificates
194 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
197 # mod_rewrite must be enabled to use the REST API
198 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
201 # mod_version must only be enabled if you use Apache 2.2 or lower
202 # https://httpd.apache.org/docs/current/mod/mod_version.html
203 # sudo a2enmod version
205 # restart the apache service
206 systemctl restart apache
209 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
213 Guide on setting up the Nginx web server: [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
215 You will also need to install the [PHP-FPM](http://php-fpm.org) interpreter as detailed [here](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing). Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data` but this may vary depending on your Linux distribution.
219 # install nginx and php-fpm
221 sudo apt install nginx php-fpm
223 # Edit the virtualhost configuration file with your favorite editor
224 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
230 server_name shaarli.mydomain.org;
232 # redirect all plain HTTP requests to HTTPS
233 return 301 https://shaarli.mydomain.org$request_uri;
238 server_name shaarli.mydomain.org;
239 root /var/www/shaarli.mydomain.org;
242 # combined log format prepends the virtualhost/domain name to log entries
243 access_log /var/log/nginx/access.log combined;
244 error_log /var/log/nginx/error.log;
246 # paths to private key and certificates for SSL/TLS
247 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
248 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
250 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
251 client_max_body_size 100m;
253 # relative path to shaarli from the root of the webserver
255 # default index file when no file URI is requested
257 try_files $uri /index.php$is_args$args;
260 location ~ (index)\.php$ {
262 # slim API - split URL path into (script_filename, path_info)
263 fastcgi_split_path_info ^(.+\.php)(/.+)$;
264 # pass PHP requests to PHP-FPM
265 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
266 fastcgi_index index.php;
267 include fastcgi.conf;
271 # deny access to all other PHP scripts
272 # disable this if you host other PHP applications on the same virtualhost
277 # deny access to dotfiles
282 # deny access to temp editor files, e.g. "script.php~"
286 location = /favicon.ico {
287 # serve the Shaarli favicon from its custom location
288 alias /var/www/shaarli/images/favicon.ico;
291 # allow client-side caching of static files
292 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
294 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
295 # HTTP 1.0 compatibility
296 add_header Pragma public;
303 # enable the configuration/virtualhost
304 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
305 # reload nginx configuration
306 sudo systemctl reload nginx
312 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
316 ## Allow import of large browser bookmarks export
318 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
320 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
321 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
325 # (optional) increase the maximum file upload size:
328 # (optional) increase the maximum file upload size:
329 upload_max_filesize = 100M
332 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
336 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
337 #give read-only access to this file to the webserver user
338 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
339 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
342 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
344 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
347 ## Robots and crawlers
349 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
356 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
358 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
359 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
360 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
361 - [About robots.txt](http://www.robotstxt.org)
362 - [About the robots META tag](https://www.robotstxt.org/meta.html)
367 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
370 # /etc/fail2ban/filter.d/shaarli-auth.conf
374 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
379 # /etc/fail2ban/jail.local
383 filter = shaarli-auth
384 logpath = /var/www/shaarli.mydomain.org/data/log.txt
385 # allow 3 login attempts per IP address
386 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
388 # permanently ban the IP address after reaching the limit
394 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
395 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
396 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
397 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
398 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
399 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
400 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
401 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
402 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
403 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
404 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
405 - [Nginx documentation](https://nginx.org/en/docs/)
406 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
407 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
408 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
409 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
410 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
411 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
412 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
413 - [PHP: Supported versions](http://php.net/supported-versions.php)
414 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
415 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
416 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
417 - [PHP: Bugs](https://bugs.php.net/)
418 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
419 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.