]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:


bb488ef0b2e5f678a884fba2baed24a330e1a87c
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3 ## Requirements
4
5 ### Operating system and web server
6
7 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
8
9 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
10
11 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
12
13 ### Network and domain name
14
15 Try to host the server in a region that is geographically close to your users.
16
17 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
18
19 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
20
21 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
22
23 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
24
25
26 ### Screencast
27
28 Here is a screencast of the installation procedure
29
30 [![asciicast](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO.svg)](https://asciinema.org/a/z3RXxcJIRgWk0jM2ws6EnUFgO)
31
32 --------------------------------------------------------------------------------
33
34 ### PHP
35
36 Supported PHP versions:
37
38 Version | Status | Shaarli compatibility
39 :---:|:---:|:---:
40 7.3 | Supported | Yes
41 7.2 | Supported | Yes
42 7.1 | Supported | Yes
43 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
44 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
45 5.5 | EOL: 2016-07-10 | Yes
46 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
47 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
48
49 Required PHP extensions:
50
51 Extension | Required? | Usage
52 ---|:---:|---
53 [`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
54 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
55 [`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
56 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
57 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
58 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
59 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
60 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
61
62 Some [plugins](Plugins.md) may require additional configuration.
63
64
65 ## SSL/TLS (HTTPS)
66
67 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
68
69 ### Let's Encrypt
70
71 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
72
73 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
74 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
75 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
76
77 In short:
78
79 ```bash
80 # install certbot
81 sudo apt install certbot
82
83 # stop your webserver if you already have one running
84 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
85 sudo systemctl stop apache2
86 sudo systemctl stop nginx
87
88 # generate initial certificates
89 # Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
90 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
91 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
92
93 # restart the web server
94 sudo systemctl start apache2
95 sudo systemctl start nginx
96 ```
97
98 On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts.
99
100 ### Self-signed
101
102 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
103
104 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
105 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
106
107 --------------------------------------------------------------------------------
108
109 ## Examples
110
111 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
112
113 ```bash
114 # create the document root (replace with your own domain name)
115 sudo mkdir -p /var/www/shaarli.mydomain.org/
116 ```
117
118 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
119
120
121 ### Apache
122
123 ```bash
124 # Install apache + mod_php and PHP modules
125 sudo apt update
126 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
127
128 # Edit the virtualhost configuration file with your favorite editor (replace the example domain name)
129 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
130 ```
131
132 ```apache
133 <VirtualHost *:80>
134 ServerName shaarli.mydomain.org
135 DocumentRoot /var/www/shaarli.mydomain.org/
136
137 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
138 RewriteEngine on
139 RewriteRule ^.well-known/acme-challenge/ - [L]
140 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
141 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
142 # If you are using mod_md, use this instead
143 #MDCertificateAgreement accepted
144 #MDContactEmail admin@shaarli.mydomain.org
145 #MDPrivateKeys RSA 4096
146 </VirtualHost>
147
148 <VirtualHost *:443>
149 ServerName shaarli.mydomain.org
150 DocumentRoot /var/www/shaarli.mydomain.org/
151
152 # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
153 SSLEngine on
154 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
155 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
156 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
157 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
158 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
159 SSLHonorCipherOrder off
160 SSLSessionTickets off
161 SSLOptions +StrictRequire
162
163 # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md
164 #MDomain shaarli.mydomain.org
165
166 # SSL/TLS configuration (for self-signed certificates)
167 #SSLEngine on
168 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
169 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
170
171 # Optional, log PHP errors, useful for debugging
172 #php_flag log_errors on
173 #php_flag display_errors on
174 #php_value error_reporting 2147483647
175 #php_value error_log /var/log/apache2/shaarli-php-error.log
176
177 <Directory /var/www/shaarli.mydomain.org/>
178 # Required for .htaccess support
179 AllowOverride All
180 Require all granted
181 </Directory>
182
183 <LocationMatch "/\.">
184 # Prevent accessing dotfiles
185 RedirectMatch 404 ".*"
186 </LocationMatch>
187
188 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
189 # allow client-side caching of static files
190 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
191 </LocationMatch>
192
193 # serve the Shaarli favicon from its custom location
194 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
195
196 </VirtualHost>
197 ```
198
199 ```bash
200 # Enable the virtualhost
201 sudo a2ensite shaarli
202
203 # mod_ssl must be enabled to use TLS/SSL certificates
204 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
205 sudo a2enmod ssl
206
207 # mod_rewrite must be enabled to use the REST API
208 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
209 sudo a2enmod rewrite
210
211 # mod_version must only be enabled if you use Apache 2.2 or lower
212 # https://httpd.apache.org/docs/current/mod/mod_version.html
213 # sudo a2enmod version
214
215 # restart the apache service
216 systemctl restart apache
217 ```
218
219 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
220
221
222 ### Nginx
223
224 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
225
226
227 ```bash
228 # install nginx and php-fpm
229 sudo apt update
230 sudo apt install nginx php-fpm
231
232 # Edit the virtualhost configuration file with your favorite editor
233 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
234 ```
235
236 ```nginx
237 server {
238 listen 80;
239 server_name shaarli.mydomain.org;
240
241 # redirect all plain HTTP requests to HTTPS
242 return 301 https://shaarli.mydomain.org$request_uri;
243 }
244
245 server {
246 listen 443 ssl;
247 server_name shaarli.mydomain.org;
248 root /var/www/shaarli.mydomain.org;
249
250 # log file locations
251 # combined log format prepends the virtualhost/domain name to log entries
252 access_log /var/log/nginx/access.log combined;
253 error_log /var/log/nginx/error.log;
254
255 # paths to private key and certificates for SSL/TLS
256 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
257 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
258
259 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
260 ssl_session_cache shared:le_nginx_SSL:10m;
261 ssl_session_timeout 1440m;
262 ssl_session_tickets off;
263 ssl_protocols TLSv1.2 TLSv1.3;
264 ssl_prefer_server_ciphers off;
265 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
266
267 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
268 client_max_body_size 100m;
269
270 # relative path to shaarli from the root of the webserver
271 location / {
272 # default index file when no file URI is requested
273 index index.php;
274 try_files $uri /index.php$is_args$args;
275 }
276
277 location ~ (index)\.php$ {
278 try_files $uri =404;
279 # slim API - split URL path into (script_filename, path_info)
280 fastcgi_split_path_info ^(.+\.php)(/.+)$;
281 # pass PHP requests to PHP-FPM
282 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
283 fastcgi_index index.php;
284 include fastcgi.conf;
285 }
286
287 location ~ \.php$ {
288 # deny access to all other PHP scripts
289 # disable this if you host other PHP applications on the same virtualhost
290 deny all;
291 }
292
293 location ~ /\. {
294 # deny access to dotfiles
295 deny all;
296 }
297
298 location ~ ~$ {
299 # deny access to temp editor files, e.g. "script.php~"
300 deny all;
301 }
302
303 location = /favicon.ico {
304 # serve the Shaarli favicon from its custom location
305 alias /var/www/shaarli/images/favicon.ico;
306 }
307
308 # allow client-side caching of static files
309 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
310 expires max;
311 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
312 # HTTP 1.0 compatibility
313 add_header Pragma public;
314 }
315
316 }
317 ```
318
319 ```bash
320 # enable the configuration/virtualhost
321 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
322 # reload nginx configuration
323 sudo systemctl reload nginx
324 ```
325
326 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
327
328
329 ## Reverse proxies
330
331 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
332
333
334
335 ## Allow import of large browser bookmarks export
336
337 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
338
339 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
340 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
341
342 ```ini
343 [...]
344 # (optional) increase the maximum file upload size:
345 post_max_size = 100M
346 [...]
347 # (optional) increase the maximum file upload size:
348 upload_max_filesize = 100M
349 ```
350
351 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
352
353 ```bash
354 # example
355 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
356 #give read-only access to this file to the webserver user
357 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
358 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
359 ```
360
361 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
362
363 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
364
365
366 ## Robots and crawlers
367
368 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
369
370 ```
371 User-agent: *
372 Disallow: /
373 ```
374
375 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
376
377 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
378 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
379 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
380 - [About robots.txt](http://www.robotstxt.org)
381 - [About the robots META tag](https://www.robotstxt.org/meta.html)
382
383
384 ## Fail2ban
385
386 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
387
388 ```ini
389 # /etc/fail2ban/filter.d/shaarli-auth.conf
390 [INCLUDES]
391 before = common.conf
392 [Definition]
393 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
394 ignoreregex =
395 ```
396
397 ```ini
398 # /etc/fail2ban/jail.local
399 [shaarli-auth]
400 enabled = true
401 port = https,http
402 filter = shaarli-auth
403 logpath = /var/www/shaarli.mydomain.org/data/log.txt
404 # allow 3 login attempts per IP address
405 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
406 maxretry = 3
407 # permanently ban the IP address after reaching the limit
408 bantime = -1
409 ```
410
411 Then restart the service: `sudo systemctl restart fail2ban`
412
413 #### References
414
415 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
416 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
417 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
418 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
419 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
420 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
421 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
422 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
423 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
424 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
425 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
426 - [Nginx documentation](https://nginx.org/en/docs/)
427 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
428 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
429 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
430 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
431 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
432 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
433 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
434 - [PHP: Supported versions](http://php.net/supported-versions.php)
435 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
436 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
437 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
438 - [PHP: Bugs](https://bugs.php.net/)
439 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
440 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
441
442
The personal, minimalist, super-fast, database free, bookmarking service - community repo