]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc: server configuration: apache: add note about mod_md
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3
4
5 ## Requirements
6
7 ### Operating system and web server
8
9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
10
11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
12
13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
14
15 ### Network and domain name
16
17 Try to host the server in a region that is geographically close to your users.
18
19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
20
21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
22
23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
24
25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
26
27
28 ### PHP
29
30 Supported PHP versions:
31
32 Version | Status | Shaarli compatibility
33 :---:|:---:|:---:
34 7.3 | Supported | Yes
35 7.2 | Supported | Yes
36 7.1 | Supported | Yes
37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
39 5.5 | EOL: 2016-07-10 | Yes
40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
42
43 Required PHP extensions:
44
45 Extension | Required? | Usage
46 ---|:---:|---
47 [`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
49 [`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
50 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
51 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
52 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
53 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
54 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
55
56 Some [plugins](Plugins.md) may require additional configuration.
57
58
59 ## SSL/TLS (HTTPS)
60
61 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
62
63 ### Let's Encrypt
64
65 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
66
67 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
68 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
69 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
70
71 In short:
72
73 ```bash
74 # install certbot
75 sudo apt install certbot
76
77 # stop your webserver if you already have one running
78 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
79 sudo systemctl stop apache2
80 sudo systemctl stop nginx
81
82 # generate initial certificates
83 # Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
84 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
85 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
86
87 # restart the web server
88 sudo systemctl start apache2
89 sudo systemctl start nginx
90 ```
91
92 On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts.
93
94 ### Self-signed
95
96 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
97
98 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
99 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
100
101 --------------------------------------------------------------------------------
102
103 ## Examples
104
105 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values). In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
106
107 ```bash
108 # create the document root
109 sudo mkdir -p /var/www/shaarli.mydomain.org/
110 ```
111
112 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
113
114
115 ### Apache
116
117 ```bash
118 # Install apache + mod_php and PHP modules
119 sudo apt update
120 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
121
122 # Edit the virtualhost configuration file with your favorite editor
123 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
124 ```
125
126 ```apache
127 <VirtualHost *:80>
128 ServerName shaarli.mydomain.org
129 DocumentRoot /var/www/shaarli.mydomain.org/
130
131 # Redirect HTTP requests to HTTPS
132 RewriteEngine on
133 RewriteRule ^.well-known/acme-challenge/ - [L]
134 # except for Let's Encrypt ACME challenge requests
135 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
136 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
137 </VirtualHost>
138
139 <VirtualHost *:443>
140 ServerName shaarli.mydomain.org
141 DocumentRoot /var/www/shaarli.mydomain.org/
142
143 # SSL/TLS configuration (for Let's Encrypt certificates)
144 # If certificates were acquired from certbot standalone
145 SSLEngine on
146 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
147 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
148 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
149 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
150 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
151 SSLHonorCipherOrder off
152 SSLSessionTickets off
153 SSLOptions +StrictRequire
154
155 # SSL/TLS configuration (for self-signed certificates)
156 #SSLEngine on
157 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
158 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
159
160 # Optional, log PHP errors, useful for debugging
161 #php_flag log_errors on
162 #php_flag display_errors on
163 #php_value error_reporting 2147483647
164 #php_value error_log /var/log/apache2/shaarli-php-error.log
165
166 <Directory /var/www/shaarli.mydomain.org/>
167 # Required for .htaccess support
168 AllowOverride All
169 Require all granted
170 </Directory>
171
172 <LocationMatch "/\.">
173 # Prevent accessing dotfiles
174 RedirectMatch 404 ".*"
175 </LocationMatch>
176
177 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
178 # allow client-side caching of static files
179 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
180 </LocationMatch>
181
182 # serve the Shaarli favicon from its custom location
183 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
184
185 </VirtualHost>
186 ```
187
188 ```bash
189 # Enable the virtualhost
190 sudo a2ensite shaarli
191
192 # mod_ssl must be enabled to use TLS/SSL certificates
193 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
194 sudo a2enmod ssl
195
196 # mod_rewrite must be enabled to use the REST API
197 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
198 sudo a2enmod rewrite
199
200 # mod_version must only be enabled if you use Apache 2.2 or lower
201 # https://httpd.apache.org/docs/current/mod/mod_version.html
202 # sudo a2enmod version
203
204 # restart the apache service
205 systemctl restart apache
206 ```
207
208 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
209
210
211 ### Nginx
212
213 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
214
215
216 ```bash
217 # install nginx and php-fpm
218 sudo apt update
219 sudo apt install nginx php-fpm
220
221 # Edit the virtualhost configuration file with your favorite editor
222 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
223 ```
224
225 ```nginx
226 server {
227 listen 80;
228 server_name shaarli.mydomain.org;
229
230 # redirect all plain HTTP requests to HTTPS
231 return 301 https://shaarli.mydomain.org$request_uri;
232 }
233
234 server {
235 listen 443 ssl;
236 server_name shaarli.mydomain.org;
237 root /var/www/shaarli.mydomain.org;
238
239 # log file locations
240 # combined log format prepends the virtualhost/domain name to log entries
241 access_log /var/log/nginx/access.log combined;
242 error_log /var/log/nginx/error.log;
243
244 # paths to private key and certificates for SSL/TLS
245 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
246 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
247
248 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
249 ssl_session_cache shared:le_nginx_SSL:10m;
250 ssl_session_timeout 1440m;
251 ssl_session_tickets off;
252 ssl_protocols TLSv1.2 TLSv1.3;
253 ssl_prefer_server_ciphers off;
254 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
255
256 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
257 client_max_body_size 100m;
258
259 # relative path to shaarli from the root of the webserver
260 location / {
261 # default index file when no file URI is requested
262 index index.php;
263 try_files $uri /index.php$is_args$args;
264 }
265
266 location ~ (index)\.php$ {
267 try_files $uri =404;
268 # slim API - split URL path into (script_filename, path_info)
269 fastcgi_split_path_info ^(.+\.php)(/.+)$;
270 # pass PHP requests to PHP-FPM
271 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
272 fastcgi_index index.php;
273 include fastcgi.conf;
274 }
275
276 location ~ \.php$ {
277 # deny access to all other PHP scripts
278 # disable this if you host other PHP applications on the same virtualhost
279 deny all;
280 }
281
282 location ~ /\. {
283 # deny access to dotfiles
284 deny all;
285 }
286
287 location ~ ~$ {
288 # deny access to temp editor files, e.g. "script.php~"
289 deny all;
290 }
291
292 location = /favicon.ico {
293 # serve the Shaarli favicon from its custom location
294 alias /var/www/shaarli/images/favicon.ico;
295 }
296
297 # allow client-side caching of static files
298 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
299 expires max;
300 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
301 # HTTP 1.0 compatibility
302 add_header Pragma public;
303 }
304
305 }
306 ```
307
308 ```bash
309 # enable the configuration/virtualhost
310 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
311 # reload nginx configuration
312 sudo systemctl reload nginx
313 ```
314
315 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
316
317
318 ## Reverse proxies
319
320 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
321
322
323
324 ## Allow import of large browser bookmarks export
325
326 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
327
328 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
329 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
330
331 ```ini
332 [...]
333 # (optional) increase the maximum file upload size:
334 post_max_size = 100M
335 [...]
336 # (optional) increase the maximum file upload size:
337 upload_max_filesize = 100M
338 ```
339
340 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
341
342 ```bash
343 # example
344 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
345 #give read-only access to this file to the webserver user
346 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
347 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
348 ```
349
350 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
351
352 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
353
354
355 ## Robots and crawlers
356
357 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
358
359 ```
360 User-agent: *
361 Disallow: /
362 ```
363
364 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
365
366 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
367 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
368 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
369 - [About robots.txt](http://www.robotstxt.org)
370 - [About the robots META tag](https://www.robotstxt.org/meta.html)
371
372
373 ## Fail2ban
374
375 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
376
377 ```ini
378 # /etc/fail2ban/filter.d/shaarli-auth.conf
379 [INCLUDES]
380 before = common.conf
381 [Definition]
382 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
383 ignoreregex =
384 ```
385
386 ```ini
387 # /etc/fail2ban/jail.local
388 [shaarli-auth]
389 enabled = true
390 port = https,http
391 filter = shaarli-auth
392 logpath = /var/www/shaarli.mydomain.org/data/log.txt
393 # allow 3 login attempts per IP address
394 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
395 maxretry = 3
396 # permanently ban the IP address after reaching the limit
397 bantime = -1
398 ```
399
400 #### References
401
402 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
403 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
404 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
405 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
406 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
407 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
408 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
409 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
410 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
411 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
412 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
413 - [Nginx documentation](https://nginx.org/en/docs/)
414 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
415 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
416 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
417 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
418 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
419 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
420 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
421 - [PHP: Supported versions](http://php.net/supported-versions.php)
422 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
423 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
424 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
425 - [PHP: Bugs](https://bugs.php.net/)
426 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
427 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
428
429
The personal, minimalist, super-fast, database free, bookmarking service - community repo