doc: server configuration: add note on required firewall/NAT for Let's Encrypt certif...

[github/shaarli/Shaarli.git] / doc / md / Server-configuration.md

diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index 2bb403e59685e415e969dfd1204d11776a295f96..f14be7f38b89e4ea449eaf10be1f22c95442e50d 100644 (file)
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -44,8 +44,9 @@ Required PHP extensions:
 
 Extension | Required? | Usage
 ---|:---:|---
-[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
+[`openssl`](http://php.net/manual/en/book.openssl.php) | requires | OpenSSL, HTTPS
 [`php-json`](http://php.net/manual/en/book.json.php) | required | configuration parsing
+[`php-simplexml`](https://www.php.net/manual/en/book.simplexml.php) | required | REST API (Slim framework)
 [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
 [`php-gd`](http://php.net/manual/en/book.image.php) | optional | required to use thumbnails
 [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->è->f`)
@@ -76,7 +77,8 @@ sudo apt install certbot
 sudo systemctl stop apache2
 sudo systemctl stop nginx
 
-# generate initial certificates - Let's Encrypt ACME servers must be able to access your server!
+# generate initial certificates
+# Let's Encrypt ACME servers must be able to access your server! port forwarding and firewall must be properly configured
 sudo certbot certonly --standalone --noninteractive --agree-tos --email "admin@shaarli.mydomain.org" -d shaarli.mydomain.org
 # this will generate a private key and certificate at /etc/letsencrypt/live/shaarli.mydomain.org/{privkey,fullchain}.pem
 
@@ -250,6 +252,14 @@ server {
     ssl_certificate      /etc/ssl/shaarli.mydomain.org.crt;
     ssl_certificate_key  /etc/ssl/private/shaarli.mydomain.org.key;
 
+    # Let's Encrypt SSL settings from https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+    ssl_session_cache shared:le_nginx_SSL:10m;
+    ssl_session_timeout 1440m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
     # increase the maximum file upload size if needed: by default nginx limits file upload to 1MB (413 Entity Too Large error)
     client_max_body_size 100m;