]> git.immae.eu Git - github/shaarli/Shaarli.git/blob - doc/md/Server-configuration.md
projects / github / shaarli / Shaarli.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc: server configuration: add note on required firewall/NAT for Let's Encrypt certif...
[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md
1 # Server configuration
2
3
4
5 ## Requirements
6
7 ### Operating system and web server
8
9 Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems.
10
11 You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
12
13 Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
14
15 ### Network and domain name
16
17 Try to host the server in a region that is geographically close to your users.
18
19 A **domain name** ([DNS record](https://opensource.com/article/17/4/introduction-domain-name-system-dns)) pointing to the server's public IP address is required to obtain a SSL/TLS certificate and setup HTTPS to secure client traffic to your Shaarli instance.
20
21 You can obtain a domain name from a [registrar](https://en.wikipedia.org/wiki/Domain_name_registrar) ([1](https://www.ovh.co.uk/domains), [2](https://www.gandi.net/en/domain)), or from free subdomain providers ([1](https://freedns.afraid.org/)). If you don't have a domain name, please set up a private domain name ([FQDN](ttps://en.wikipedia.org/wiki/Fully_qualified_domain_name)) in your clients' [hosts files](https://en.wikipedia.org/wiki/Hosts_(file)) to access the server (direct access by IP address can result in unexpected behavior).
22
23 Setup a **firewall** (using `iptables`, [ufw](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-debian-10), [fireHOL](https://firehol.org/) or any frontend of your choice) to deny all incoming traffic except `tcp/80` and `tcp/443`, which are needed to access the web server (and any other posrts you might need, like SSH). If the server is in a private network behind a NAT, ensure these **ports are forwarded** to the server.
24
25 Shaarli makes outbound HTTP/HTTPS connections to websites you bookmark to fetch page information (title, thumbnails), the server must then have access to the Internet as well, and a working DNS resolver.
26
27
28 ### PHP
29
30 Supported PHP versions:
31
32 Version | Status | Shaarli compatibility
33 :---:|:---:|:---:
34 7.3 | Supported | Yes
35 7.2 | Supported | Yes
36 7.1 | Supported | Yes
37 7.0 | EOL: 2018-12-03 | Yes (up to Shaarli 0.10.x)
38 5.6 | EOL: 2018-12-31 | Yes (up to Shaarli 0.10.x)
39 5.5 | EOL: 2016-07-10 | Yes
40 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
41 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
42
43 Required PHP extensions:
44
45 Extension | Required? | Usage
46 ---|:---:|---
47 [`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
48 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
49 [`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
50 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
51 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
52 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
53 [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
54 [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
55
56 Some [plugins](Plugins.md) may require additional configuration.
57
58
59 ## SSL/TLS (HTTPS)
60
61 We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server.
62
63 For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates.
64
65 - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10)
66 - [How to secure Nginx with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-debian-10)
67 - [How To Use Certbot Standalone Mode to Retrieve Let's Encrypt SSL Certificates](https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-debian-10).
68
69 In short:
70
71 ```bash
72 # install certbot
73 sudo apt install certbot
74
75 # stop your webserver if you already have one running
76 # certbot in standalone mode needs to bind to port 80 (only needed on initial generation)
77 sudo systemctl stop apache2
78 sudo systemctl stop nginx
79
80 # generate initial certificates
81 # Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
82 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
83 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
84
85 # restart the web server
86 sudo systemctl start apache2
87 sudo systemctl start nginx
88 ```
89
90 If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli:
91
92 - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
93 - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
94
95 --------------------------------------------------------------------------------
96
97 ## Examples
98
99 The following examples assume a Debian-based operating system is installed. On other distributions you may have to adapt details such as package installation procedures, configuration file locations, and webserver username/group (`www-data` or `httpd` are common values).
100
101 In these examples we assume the document root for your web server/virtualhost is at `/var/www/shaarli.mydomain.org/`:
102
103 ```bash
104 sudo mkdir -p /var/www/shaarli.mydomain.org/
105 ```
106
107 You can install Shaarli at the root of your virtualhost, or in a subdirectory as well. See [Directory structure](Directory-structure)
108
109
110 ### Apache
111
112 ```bash
113 # Install apache + mod_php and PHP modules
114 sudo apt update
115 sudo apt install apache2 libapache2-mod-php php-json php-mbstring php-gd php-intl php-curl php-gettext
116
117 # Edit the virtualhost configuration file with your favorite editor
118 sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
119 ```
120
121 ```apache
122 <VirtualHost *:80>
123 ServerName shaarli.mydomain.org
124 DocumentRoot /var/www/shaarli.mydomain.org/
125
126 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
127 LogLevel warn
128 # Log file locations
129 ErrorLog /var/log/apache2/error.log
130 CustomLog /var/log/apache2/access.log combined
131
132 # Redirect HTTP requests to HTTPS
133 RewriteEngine on
134 RewriteRule ^.well-known/acme-challenge/ - [L]
135 # except for Let's Encrypt ACME challenge requests
136 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
137 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
138 </VirtualHost>
139
140 <VirtualHost *:443>
141 ServerName shaarli.mydomain.org
142 DocumentRoot /var/www/shaarli.mydomain.org/
143
144 # Log level. Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
145 LogLevel warn
146 # Log file locations
147 ErrorLog /var/log/apache2/error.log
148 CustomLog /var/log/apache2/access.log combined
149
150 # SSL/TLS configuration (for Let's Encrypt certificates)
151 SSLEngine on
152 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
153 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
154
155 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
156 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
157 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
158 SSLHonorCipherOrder off
159 SSLSessionTickets off
160 SSLOptions +StrictRequire
161
162 # SSL/TLS configuration (for self-signed certificates)
163 #SSLEngine on
164 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
165 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
166
167 # Optional, log PHP errors, useful for debugging
168 #php_flag log_errors on
169 #php_flag display_errors on
170 #php_value error_reporting 2147483647
171 #php_value error_log /var/log/apache2/shaarli-php-error.log
172
173 <Directory /var/www/shaarli.mydomain.org/>
174 # Required for .htaccess support
175 AllowOverride All
176 Order allow,deny
177 Allow from all
178 </Directory>
179
180 <LocationMatch "/\.">
181 # Prevent accessing dotfiles
182 RedirectMatch 404 ".*"
183 </LocationMatch>
184
185 <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$">
186 # allow client-side caching of static files
187 Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
188 </LocationMatch>
189
190 # serve the Shaarli favicon from its custom location
191 Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
192
193 </VirtualHost>
194 ```
195
196 ```bash
197 # Enable the virtualhost
198 sudo a2ensite shaarli
199
200 # mod_ssl must be enabled to use TLS/SSL certificates
201 # https://httpd.apache.org/docs/current/mod/mod_ssl.html
202 sudo a2enmod ssl
203
204 # mod_rewrite must be enabled to use the REST API
205 # https://httpd.apache.org/docs/current/mod/mod_rewrite.html
206 sudo a2enmod rewrite
207
208 # mod_version must only be enabled if you use Apache 2.2 or lower
209 # https://httpd.apache.org/docs/current/mod/mod_version.html
210 # sudo a2enmod version
211
212 # restart the apache service
213 systemctl restart apache
214 ```
215
216 See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide.
217
218 ### Nginx
219
220 This examples uses nginx and the [PHP-FPM](https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mariadb-php-lemp-stack-on-debian-10#step-3-%E2%80%94-installing-php-for-processing) PHP interpreter. Nginx and PHP-FPM must be running using the same user and group, here we assume the user/group to be `www-data:www-data`.
221
222
223 ```bash
224 # install nginx and php-fpm
225 sudo apt update
226 sudo apt install nginx php-fpm
227
228 # Edit the virtualhost configuration file with your favorite editor
229 sudo nano /etc/nginx/sites-available/shaarli.mydomain.org
230 ```
231
232 ```nginx
233 server {
234 listen 80;
235 server_name shaarli.mydomain.org;
236
237 # redirect all plain HTTP requests to HTTPS
238 return 301 https://shaarli.mydomain.org$request_uri;
239 }
240
241 server {
242 listen 443 ssl;
243 server_name shaarli.mydomain.org;
244 root /var/www/shaarli.mydomain.org;
245
246 # log file locations
247 # combined log format prepends the virtualhost/domain name to log entries
248 access_log /var/log/nginx/access.log combined;
249 error_log /var/log/nginx/error.log;
250
251 # paths to private key and certificates for SSL/TLS
252 ssl_certificate /etc/ssl/shaarli.mydomain.org.crt;
253 ssl_certificate_key /etc/ssl/private/shaarli.mydomain.org.key;
254
255 # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
256 ssl_session_cache shared:le_nginx_SSL:10m;
257 ssl_session_timeout 1440m;
258 ssl_session_tickets off;
259 ssl_protocols TLSv1.2 TLSv1.3;
260 ssl_prefer_server_ciphers off;
261 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
262
263 # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
264 client_max_body_size 100m;
265
266 # relative path to shaarli from the root of the webserver
267 location / {
268 # default index file when no file URI is requested
269 index index.php;
270 try_files $uri /index.php$is_args$args;
271 }
272
273 location ~ (index)\.php$ {
274 try_files $uri =404;
275 # slim API - split URL path into (script_filename, path_info)
276 fastcgi_split_path_info ^(.+\.php)(/.+)$;
277 # pass PHP requests to PHP-FPM
278 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
279 fastcgi_index index.php;
280 include fastcgi.conf;
281 }
282
283 location ~ \.php$ {
284 # deny access to all other PHP scripts
285 # disable this if you host other PHP applications on the same virtualhost
286 deny all;
287 }
288
289 location ~ /\. {
290 # deny access to dotfiles
291 deny all;
292 }
293
294 location ~ ~$ {
295 # deny access to temp editor files, e.g. "script.php~"
296 deny all;
297 }
298
299 location = /favicon.ico {
300 # serve the Shaarli favicon from its custom location
301 alias /var/www/shaarli/images/favicon.ico;
302 }
303
304 # allow client-side caching of static files
305 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
306 expires max;
307 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
308 # HTTP 1.0 compatibility
309 add_header Pragma public;
310 }
311
312 }
313 ```
314
315 ```bash
316 # enable the configuration/virtualhost
317 sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enabled/shaarli.mydomain.org
318 # reload nginx configuration
319 sudo systemctl reload nginx
320 ```
321
322 See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide.
323
324
325 ## Reverse proxies
326
327 If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration.
328
329
330
331 ## Allow import of large browser bookmarks export
332
333 Web browser bookmark exports can be large due to the presence of base64-encoded images and favicons/long subfolder names. Edit the PHP configuration file.
334
335 - Apache: `/etc/php/<PHP_VERSION>/apache2/php.ini`
336 - Nginx + PHP-FPM: `/etc/php/<PHP_VERSION>/fpm/php.ini` (in addition to `client_max_body_size` in the [Nginx configuration](#nginx))
337
338 ```ini
339 [...]
340 # (optional) increase the maximum file upload size:
341 post_max_size = 100M
342 [...]
343 # (optional) increase the maximum file upload size:
344 upload_max_filesize = 100M
345 ```
346
347 To verify PHP settings currently set on the server, create a `phpinfo.php` in your webserver's document root
348
349 ```bash
350 # example
351 echo '<?php phpinfo(); ?>' | sudo tee /var/www/shaarli.mydomain.org/phpinfo.php
352 #give read-only access to this file to the webserver user
353 sudo chown www-data:root /var/www/shaarli.mydomain.org/phpinfo.php
354 sudo chmod 0400 /var/www/shaarli.mydomain.org/phpinfo.php
355 ```
356
357 Access the file from a web browser (eg. <https://shaarli.mydomain.org/phpinfo.php> and look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
358
359 It is recommended to remove the `phpinfo.php` when no longer needed as it publicly discloses details about your webserver configuration.
360
361
362 ## Robots and crawlers
363
364 To opt-out of indexing your Shaarli instance by search engines, create a `robots.txt` file at the root of your virtualhost:
365
366 ```
367 User-agent: *
368 Disallow: /
369 ```
370
371 By default Shaarli already disallows indexing of your local copy of the documentation by default, using `<meta name="robots">` HTML tags. Your Shaarli instance may still be indexed by various robots on the public Internet, that do not respect this header or the robots standard.
372
373 - [Robots exclusion standard](https://en.wikipedia.org/wiki/Robots_exclusion_standard)
374 - [Introduction to robots.txt](https://support.google.com/webmasters/answer/6062608?hl=en)
375 - [Robots meta tag, data-nosnippet, and X-Robots-Tag specifications](https://developers.google.com/search/reference/robots_meta_tag)
376 - [About robots.txt](http://www.robotstxt.org)
377 - [About the robots META tag](https://www.robotstxt.org/meta.html)
378
379
380 ## Fail2ban
381
382 [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts. You need to create a filter to detect shaarli login failures in logs, and a jail configuation to configure the behavior when failed login attempts are detected:
383
384 ```ini
385 # /etc/fail2ban/filter.d/shaarli-auth.conf
386 [INCLUDES]
387 before = common.conf
388 [Definition]
389 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
390 ignoreregex =
391 ```
392
393 ```ini
394 # /etc/fail2ban/jail.local
395 [shaarli-auth]
396 enabled = true
397 port = https,http
398 filter = shaarli-auth
399 logpath = /var/www/shaarli.mydomain.org/data/log.txt
400 # allow 3 login attempts per IP address
401 # (over a period specified by findtime = in /etc/fail2ban/jail.conf)
402 maxretry = 3
403 # permanently ban the IP address after reaching the limit
404 bantime = -1
405 ```
406
407 #### References
408
409 - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
410 - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
411 - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
412 - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
413 - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
414 - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
415 - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
416 - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
417 - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
418 - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
419 - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
420 - [Nginx documentation](https://nginx.org/en/docs/)
421 - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
422 - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
423 - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
424 - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
425 - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
426 - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
427 - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
428 - [PHP: Supported versions](http://php.net/supported-versions.php)
429 - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
430 - [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
431 - [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
432 - [PHP: Bugs](https://bugs.php.net/)
433 - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
434 - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
435
436
The personal, minimalist, super-fast, database free, bookmarking service - community repo