]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:


c1cf43103d86189e57b3a14aa5740f2544c843cd
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3 ## Requirements
4
5 ### Operating system and web server
6
7 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
8
9 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
10
11 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
12
13 ### Network and domain name
14
15 Try to host the server in a region that is geographically close to your users.
16
17 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
18
19 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
20
21 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
22
23 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
24
25 --------------------------------------------------------------------------------
26
27 ### PHP
28
29 Supported PHP versions:
30
31 Version | Status | Shaarli compatibility
32 :---:|:---:|:---:
33 7.3 | Supported | Yes
34 7.2 | Supported | Yes
35 7.1 | Supported | Yes
36 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
37 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
38 5.5 | EOL: 2016-07-10 | Yes
39 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
40 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
41
42 Required PHP extensions:
43
44 Extension | Required? | Usage
45 ---|:---:|---
46 [`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
47 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
48 [`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
49 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
50 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
51 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
52 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
53 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
54
55 Some [plugins](Plugins.md) may require additional configuration.
56
57
58 ## SSL/TLS (HTTPS)
59
60 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
61
62 ### Let's Encrypt
63
64 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
65
66 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
67 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
68 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
69
70 In short:
71
72 ```bash
73 # install certbot
74 sudo apt install certbot
75
76 # stop your webserver if you already have one running
77 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
78 sudo systemctl stop apache2
79 sudo systemctl stop nginx
80
81 # generate initial certificates
82 # Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
83 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
84 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
85
86 # restart the web server
87 sudo systemctl start apache2
88 sudo systemctl start nginx
89 ```
90
91 On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts.
92
93 ### Self-signed
94
95 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
96
97 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
98 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
99
100 --------------------------------------------------------------------------------
101
102 ## Examples
103
104 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
105
106 ```bash
107 # create the document root
108 sudo mkdir -p /var/www/shaarli.mydomain.org/
109 ```
110
111 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
112
113
114 ### Apache
115
116 ```bash
117 # Install apache + mod_php and PHP modules
118 sudo apt update
119 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
120
121 # Edit the virtualhost configuration file with your favorite editor
122 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
123 ```
124
125 ```apache
126 <VirtualHost *:80>
127 ServerName shaarli.mydomain.org
128 DocumentRoot /var/www/shaarli.mydomain.org/
129
130 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
131 RewriteEngine on
132 RewriteRule ^.well-known/acme-challenge/ - [L]
133 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
134 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
135 # If you are using mod_md, use this instead
136 #MDCertificateAgreement accepted
137 #MDContactEmail admin@shaarli.mydomain.org
138 #MDPrivateKeys RSA 4096
139 </VirtualHost>
140
141 <VirtualHost *:443>
142 ServerName shaarli.mydomain.org
143 DocumentRoot /var/www/shaarli.mydomain.org/
144
145 # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
146 SSLEngine on
147 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
148 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
149 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
150 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
151 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
152 SSLHonorCipherOrder off
153 SSLSessionTickets off
154 SSLOptions +StrictRequire
155
156 # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md
157 #MDomain shaarli.mydomain.org
158
159 # SSL/TLS configuration (for self-signed certificates)
160 #SSLEngine on
161 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
162 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
163
164 # Optional, log PHP errors, useful for debugging
165 #php_flag log_errors on
166 #php_flag display_errors on
167 #php_value error_reporting 2147483647
168 #php_value error_log /var/log/apache2/shaarli-php-error.log
169
170 <Directory /var/www/shaarli.mydomain.org/>
171 # Required for .htaccess support
172 AllowOverride All
173 Require all granted
174 </Directory>
175
176 <LocationMatch "/\.">
177 # Prevent accessing dotfiles
178 RedirectMatch 404 ".*"
179 </LocationMatch>
180
181 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
182 # allow client-side caching of static files
183 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
184 </LocationMatch>
185
186 # serve the Shaarli favicon from its custom location
187 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
188
189 </VirtualHost>
190 ```
191
192 ```bash
193 # Enable the virtualhost
194 sudo a2ensite shaarli
195
196 # mod_ssl must be enabled to use TLS/SSL certificates
197 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
198 sudo a2enmod ssl
199
200 # mod_rewrite must be enabled to use the REST API
201 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
202 sudo a2enmod rewrite
203
204 # mod_version must only be enabled if you use Apache 2.2 or lower
205 # https://httpd.apache.org/docs/current/mod/mod_version.html
206 # sudo a2enmod version
207
208 # restart the apache service
209 systemctl restart apache
210 ```
211
212 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
213
214
215 ### Nginx
216
217 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
218
219
220 ```bash
221 # install nginx and php-fpm
222 sudo apt update
223 sudo apt install nginx php-fpm
224
225 # Edit the virtualhost configuration file with your favorite editor
226 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
227 ```
228
229 ```nginx
230 server {
231 listen 80;
232 server_name shaarli.mydomain.org;
233
234 # redirect all plain HTTP requests to HTTPS
235 return 301 https://shaarli.mydomain.org$request_uri;
236 }
237
238 server {
239 listen 443 ssl;
240 server_name shaarli.mydomain.org;
241 root /var/www/shaarli.mydomain.org;
242
243 # log file locations
244 # combined log format prepends the virtualhost/domain name to log entries
245 access_log /var/log/nginx/access.log combined;
246 error_log /var/log/nginx/error.log;
247
248 # paths to private key and certificates for SSL/TLS
249 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
250 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
251
252 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
253 ssl_session_cache shared:le_nginx_SSL:10m;
254 ssl_session_timeout 1440m;
255 ssl_session_tickets off;
256 ssl_protocols TLSv1.2 TLSv1.3;
257 ssl_prefer_server_ciphers off;
258 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
259
260 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
261 client_max_body_size 100m;
262
263 # relative path to shaarli from the root of the webserver
264 location / {
265 # default index file when no file URI is requested
266 index index.php;
267 try_files $uri /index.php$is_args$args;
268 }
269
270 location ~ (index)\.php$ {
271 try_files $uri =404;
272 # slim API - split URL path into (script_filename, path_info)
273 fastcgi_split_path_info ^(.+\.php)(/.+)$;
274 # pass PHP requests to PHP-FPM
275 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
276 fastcgi_index index.php;
277 include fastcgi.conf;
278 }
279
280 location ~ \.php$ {
281 # deny access to all other PHP scripts
282 # disable this if you host other PHP applications on the same virtualhost
283 deny all;
284 }
285
286 location ~ /\. {
287 # deny access to dotfiles
288 deny all;
289 }
290
291 location ~ ~$ {
292 # deny access to temp editor files, e.g. "script.php~"
293 deny all;
294 }
295
296 location = /favicon.ico {
297 # serve the Shaarli favicon from its custom location
298 alias /var/www/shaarli/images/favicon.ico;
299 }
300
301 # allow client-side caching of static files
302 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
303 expires max;
304 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
305 # HTTP 1.0 compatibility
306 add_header Pragma public;
307 }
308
309 }
310 ```
311
312 ```bash
313 # enable the configuration/virtualhost
314 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
315 # reload nginx configuration
316 sudo systemctl reload nginx
317 ```
318
319 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
320
321
322 ## Reverse proxies
323
324 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
325
326
327
328 ## Allow import of large browser bookmarks export
329
330 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
331
332 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
333 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
334
335 ```ini
336 [...]
337 # (optional) increase the maximum file upload size:
338 post_max_size = 100M
339 [...]
340 # (optional) increase the maximum file upload size:
341 upload_max_filesize = 100M
342 ```
343
344 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
345
346 ```bash
347 # example
348 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
349 #give read-only access to this file to the webserver user
350 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
351 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
352 ```
353
354 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
355
356 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
357
358
359 ## Robots and crawlers
360
361 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
362
363 ```
364 User-agent: *
365 Disallow: /
366 ```
367
368 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
369
370 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
371 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
372 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
373 - [About robots.txt](http://www.robotstxt.org)
374 - [About the robots META tag](https://www.robotstxt.org/meta.html)
375
376
377 ## Fail2ban
378
379 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
380
381 ```ini
382 # /etc/fail2ban/filter.d/shaarli-auth.conf
383 [INCLUDES]
384 before = common.conf
385 [Definition]
386 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
387 ignoreregex =
388 ```
389
390 ```ini
391 # /etc/fail2ban/jail.local
392 [shaarli-auth]
393 enabled = true
394 port = https,http
395 filter = shaarli-auth
396 logpath = /var/www/shaarli.mydomain.org/data/log.txt
397 # allow 3 login attempts per IP address
398 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
399 maxretry = 3
400 # permanently ban the IP address after reaching the limit
401 bantime = -1
402 ```
403
404 Then restart the service: `sudo systemctl restart fail2ban`
405
406 #### References
407
408 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
409 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
410 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
411 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
412 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
413 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
414 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
415 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
416 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
417 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
418 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
419 - [Nginx documentation](https://nginx.org/en/docs/)
420 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
421 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
422 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
423 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
424 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
425 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
426 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
427 - [PHP: Supported versions](http://php.net/supported-versions.php)
428 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
429 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
430 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
431 - [PHP: Bugs](https://bugs.php.net/)
432 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
433 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
434
435
The personal, minimalist, super-fast, database free, bookmarking service - community repo