aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/Server-configuration.html
diff options
context:
space:
mode:
authorVirtualTam <virtualtam@flibidi.net>2015-07-22 05:02:10 +0200
committerVirtualTam <virtualtam@flibidi.net>2015-08-04 16:02:21 +0200
commit992af0b9d77cb4fbac2c37ef8d5896042d67a2a3 (patch)
tree4726baf18e7057eac3f9b6bdb5991fe6117814fc /doc/Server-configuration.html
parent96db105e4c0833324f7168edb5673278de8ccd54 (diff)
downloadShaarli-992af0b9d77cb4fbac2c37ef8d5896042d67a2a3.tar.gz
Shaarli-992af0b9d77cb4fbac2c37ef8d5896042d67a2a3.tar.zst
Shaarli-992af0b9d77cb4fbac2c37ef8d5896042d67a2a3.zip
Doc: sync from Wiki, generate HTML
Closes #291 Fixes #227 Modifications - HTML content: match the new Wiki structure - Makefile - generate a custom HTML sidebar - include the sidebar on all pages - infer and prepend page titles - handle relative links - add title metadata, e.g. Shaarli - <Page Name> Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'doc/Server-configuration.html')
-rw-r--r--doc/Server-configuration.html371
1 files changed, 371 insertions, 0 deletions
diff --git a/doc/Server-configuration.html b/doc/Server-configuration.html
new file mode 100644
index 00000000..de6bf488
--- /dev/null
+++ b/doc/Server-configuration.html
@@ -0,0 +1,371 @@
1<!DOCTYPE html>
2<html>
3<head>
4 <meta charset="utf-8">
5 <meta name="generator" content="pandoc">
6 <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
7 <title>Shaarli - Server configuration</title>
8 <style type="text/css">code{white-space: pre;}</style>
9 <!--[if lt IE 9]>
10 <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
11 <![endif]-->
12 <style type="text/css">
13table.sourceCode, tr.sourceCode, td.lineNumbers, td.sourceCode {
14 margin: 0; padding: 0; vertical-align: baseline; border: none; }
15table.sourceCode { width: 100%; line-height: 100%; }
16td.lineNumbers { text-align: right; padding-right: 4px; padding-left: 4px; color: #aaaaaa; border-right: 1px solid #aaaaaa; }
17td.sourceCode { padding-left: 5px; }
18code > span.kw { color: #007020; font-weight: bold; }
19code > span.dt { color: #902000; }
20code > span.dv { color: #40a070; }
21code > span.bn { color: #40a070; }
22code > span.fl { color: #40a070; }
23code > span.ch { color: #4070a0; }
24code > span.st { color: #4070a0; }
25code > span.co { color: #60a0b0; font-style: italic; }
26code > span.ot { color: #007020; }
27code > span.al { color: #ff0000; font-weight: bold; }
28code > span.fu { color: #06287e; }
29code > span.er { color: #ff0000; font-weight: bold; }
30 </style>
31 <link rel="stylesheet" href="github-markdown.css">
32</head>
33<body>
34<div id="local-sidebar">
35<ul>
36<li><a href="Home.html">Home</a></li>
37<li>Installation
38<ul>
39<li><a href="Server-requirements.html">Server requirements</a></li>
40<li><a href="Server-configuration.html">Server configuration</a></li>
41<li><a href="Shaarli-configuration.html">Shaarli configuration</a></li>
42</ul></li>
43<li><a href="Usage.html">Usage</a>
44<ul>
45<li><a href="Sharing-button.html">Sharing button</a> (bookmarklet)</li>
46<li><a href="Firefox-share.html">Firefox share</a></li>
47<li><a href="RSS-feeds.html">RSS feeds</a></li>
48</ul></li>
49<li>How To
50<ul>
51<li><a href="Backup,-restore,-import-and-export.html">Backup, restore, import and export</a></li>
52<li><a href="Copy-an-existing-installation-over-SSH-and-serve-it-locally.html">Copy an existing installation over SSH and serve it locally</a></li>
53<li><a href="Download-CSS-styles-from-an-OPML-list.html">Download CSS styles from an OPML list</a></li>
54</ul></li>
55<li><a href="Troubleshooting.html">Troubleshooting</a></li>
56<li><a href="Development.html">Development</a>
57<ul>
58<li><a href="GnuPG-signature.html">GnuPG signature</a></li>
59<li><a href="Coding-guidelines.html">Coding guidelines</a></li>
60<li><a href="Directory-structure.html">Directory structure</a></li>
61<li><a href="3rd-party-libraries.html">3rd party libraries</a></li>
62<li><a href="Plugin-System.html">Plugin System</a></li>
63<li><a href="Security.html">Security</a></li>
64<li><a href="Static-analysis.html">Static analysis</a></li>
65<li><a href="Theming.html">Theming</a></li>
66<li><a href="Unit-tests.html">Unit tests</a></li>
67</ul></li>
68<li>About
69<ul>
70<li><a href="FAQ.html">FAQ</a></li>
71<li><a href="Community-&amp;-Related-software.html">Community &amp; Related software</a></li>
72<li><a href="TODO.html">TODO</a></li>
73</ul></li>
74</ul>
75</div>
76<h1 id="server-configuration">Server configuration</h1>
77<p><em>Example virtual host configurations for popular web servers</em></p>
78<ul>
79<li><a href="#apache">Apache</a><a href=".html"></a></li>
80<li><a href="#lighthttpd">LightHttpd</a> (empty)<a href=".html"></a></li>
81<li><a href="#nginx">Nginx</a><a href=".html"></a></li>
82</ul>
83<h2 id="prerequisites">Prerequisites</h2>
84<ul>
85<li>Shaarli is installed in a directory readable/writeable by the user</li>
86<li>the correct read/write permissions have been granted to the web server <em>user and/or group</em></li>
87<li>for HTTPS / SSL:</li>
88<li>a key pair (public, private) and a certificate have been generated</li>
89<li>the appropriate server SSL extension is installed and active</li>
90</ul>
91<p>Related guides:</p>
92<ul>
93<li><a href="http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php">How to Create Self-Signed SSL Certificates with OpenSSL</a><a href=".html"></a></li>
94<li><a href="https://workaround.org/certificate-authority">How do I create my own Certificate Authority?</a><a href=".html"></a></li>
95</ul>
96<h2 id="apache">Apache</h2>
97<h3 id="minimal">Minimal</h3>
98<pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
99 ServerName<span class="st"> shaarli.my-domain.org</span>
100 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
101<span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
102<h3 id="debug---log-all-the-things">Debug - Log all the things!</h3>
103<p>This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.</p>
104<p>See:</p>
105<ul>
106<li><a href="http://stackoverflow.com/q/176">Apache/PHP - error log per VirtualHost</a> (StackOverflow)<a href=".html"></a></li>
107<li><a href="PHP:%20php_value%20vs%20php_admin_value%20and%20the%20use%20of%20php_flag%20explained">PHP: php_value vs php_admin_value and the use of php_flag explained</a><a href=".html"></a></li>
108</ul>
109<pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
110 ServerName<span class="st"> shaarli.my-domain.org</span>
111 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
112
113 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
114 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
115 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
116
117 php_flag log_errors on
118 php_flag display_errors on
119 php_value error_reporting 2147483647
120 php_value error_log /var/log/apache2/shaarli-php-error.log
121<span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
122<h3 id="standard---keep-access-and-error-logs">Standard - Keep access and error logs</h3>
123<pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
124 ServerName<span class="st"> shaarli.my-domain.org</span>
125 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
126
127 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
128 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
129 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
130<span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
131<h3 id="paranoid---redirect-http-80-to-https-443">Paranoid - Redirect HTTP (:80) to HTTPS (:443)</h3>
132<p>See <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">Server-side TLS</a> (Mozilla).<a href=".html"></a></p>
133<pre class="sourceCode apache"><code class="sourceCode apache"><span class="fu">&lt;VirtualHost</span><span class="ot"> *:443</span><span class="fu">&gt;</span>
134 ServerName<span class="st"> shaarli.my-domain.org</span>
135 DocumentRoot<span class="st"> /absolute/path/to/shaarli/</span>
136
137 <span class="ot">SSLEngine</span><span class="ch"> </span><span class="kw">on</span>
138 SSLCertificateFile<span class="st"> /absolute/path/to/the/website/certificate.crt</span>
139 SSLCertificateKeyFile<span class="st"> /absolute/path/to/the/website/key.key</span>
140
141 <span class="fu">&lt;Directory</span><span class="ot"> /absolute/path/to/shaarli/</span><span class="fu">&gt;</span>
142 <span class="ot">AllowOverride</span><span class="ch"> </span><span class="kw">All</span>
143 <span class="ot">Options</span><span class="ch"> </span><span class="kw">Indexes</span><span class="ch"> </span><span class="kw">FollowSymLinks</span><span class="ch"> </span><span class="kw">MultiViews</span>
144 <span class="ot">Order</span><span class="ch"> </span><span class="kw">allow,deny</span>
145 allow<span class="st"> from all</span>
146 <span class="fu">&lt;/Directory&gt;</span>
147
148 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
149 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
150 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
151<span class="fu">&lt;/VirtualHost&gt;</span>
152<span class="fu">&lt;VirtualHost</span><span class="ot"> *:80</span><span class="fu">&gt;</span>
153 ServerName<span class="st"> shaarli.my-domain.org</span>
154 Redirect<span class="st"> 301 / https://shaarli.my-domain.org</span>
155
156 <span class="ot">LogLevel</span><span class="ch"> </span><span class="kw">warn</span>
157 ErrorLog<span class="st"> /var/log/apache2/shaarli-error.log</span>
158 CustomLog<span class="st"> /var/log/apache2/shaarli-access.log combined</span>
159<span class="fu">&lt;/VirtualHost&gt;</span></code></pre>
160<h2 id="lighthttpd">LightHttpd</h2>
161<h2 id="nginx">Nginx</h2>
162<h3 id="foreword">Foreword</h3>
163<p>Nginx does not natively interpret PHP scripts; to this effect, we will run a <a href="https://en.wikipedia.org/wiki/FastCGI">FastCGI</a> service, to which Nginx's FastCGI module will proxy all requests to PHP resources.<a href=".html"></a></p>
164<p>Required packages:</p>
165<ul>
166<li><a href="http://nginx.org">nginx</a><a href=".html"></a></li>
167<li><a href="http://php-fpm.org">php-fpm</a> - PHP FastCGI Process Manager<a href=".html"></a></li>
168</ul>
169<p>Official documentation:</p>
170<ul>
171<li><a href="http://nginx.org/en/docs/beginners_guide.html">Beginner's guide</a><a href=".html"></a></li>
172<li><a href="http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html">ngx_http_fastcgi_module</a><a href=".html"></a></li>
173<li><a href="http://wiki.nginx.org/Pitfalls">Pitfalls</a><a href=".html"></a></li>
174</ul>
175<p>Community resources:</p>
176<ul>
177<li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx">Server-side TLS (Nginx)</a> (Mozilla)<a href=".html"></a></li>
178<li><a href="http://kbeezie.com/nginx-configuration-examples/">PHP configuration examples</a> (Karl Blessing)<a href=".html"></a></li>
179</ul>
180<h3 id="common-setup">Common setup</h3>
181<p>Once Nginx and PHP-FPM are installed, we need to ensure:</p>
182<ul>
183<li>Nginx and PHP-FPM are running using the <em>same user and group</em></li>
184<li>both these user and group have
185<ul>
186<li><code>read</code> permissions for Shaarli resources</li>
187<li><code>execute</code> permissions for Shaarli directories <em>AND</em> their parent directories</li>
188</ul></li>
189</ul>
190<p>On a production server:</p>
191<ul>
192<li><code>user:group</code> will likely be <code>http:http</code>, <code>www:www</code> or <code>www-data:www-data</code></li>
193<li>files will be located under <code>/var/www</code>, <code>/var/http</code> or <code>/usr/share/nginx</code></li>
194</ul>
195<p>On a development server:</p>
196<ul>
197<li>files may be located in a user's home directory</li>
198<li>in this case, make sure both Nginx and PHP-FPM are running as the local user/group!</li>
199</ul>
200<p>For all following examples, a development configuration will be used:</p>
201<ul>
202<li><code>user:group = john:users</code>,</li>
203</ul>
204<p>which corresponds to the following service configuration:</p>
205<pre class="sourceCode ini"><code class="sourceCode ini"><span class="co">; /etc/php/php-fpm.conf</span>
206<span class="dt">user </span><span class="ot">=</span><span class="st"> john</span>
207<span class="dt">group </span><span class="ot">=</span><span class="st"> users</span>
208
209<span class="kw">[...][]</span><span class="dt">(.html)</span>
210<span class="dt">listen.owner </span><span class="ot">=</span><span class="st"> john</span>
211<span class="dt">listen.group </span><span class="ot">=</span><span class="st"> users</span></code></pre>
212<pre class="nginx"><code># /etc/nginx/nginx.conf
213user john users;
214
215http {
216 [...][](.html)
217}</code></pre>
218<h3 id="minimal-1">Minimal</h3>
219<p><em>WARNING: Use for development only!</em></p>
220<pre class="nginx"><code>user john users;
221worker_processes 1;
222events {
223 worker_connections 1024;
224}
225
226http {
227 include mime.types;
228 default_type application/octet-stream;
229 keepalive_timeout 20;
230
231 index index.html index.php;
232
233 server {
234 listen 80;
235 server_name localhost;
236 root /home/john/web;
237
238 access_log /var/log/nginx/access.log;
239 error_log /var/log/nginx/error.log;
240
241 location /shaarli/ {
242 access_log /var/log/nginx/shaarli.access.log;
243 error_log /var/log/nginx/shaarli.error.log;
244 }
245
246 location ~ (index)\.php$ {
247 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
248 fastcgi_index index.php;
249 include fastcgi.conf;
250 }
251 }
252}</code></pre>
253<h3 id="modular">Modular</h3>
254<p>The previous setup is sufficient for development purposes, but has several major caveats:</p>
255<ul>
256<li>every content that does not match the PHP rule will be sent to client browsers:
257<ul>
258<li>dotfiles - in our case, <code>.htaccess</code></li>
259<li>temporary files, e.g. Vim or Emacs files: <code>index.php~</code></li>
260</ul></li>
261<li>asset / static resource caching is not optimized</li>
262<li>if serving several PHP sites, there will be a lot of duplication: <code>location /shaarli/</code>, <code>location /mysite/</code>, etc.</li>
263</ul>
264<p>To solve this, we will split Nginx configuration in several parts, that will be included when needed:</p>
265<pre class="nginx"><code># /etc/nginx/deny.conf
266location ~ /\. {
267 # deny access to dotfiles
268 access_log off;
269 log_not_found off;
270 deny all;
271}
272
273location ~ ~$ {
274 # deny access to temp editor files, e.g. &quot;script.php~&quot;
275 access_log off;
276 log_not_found off;
277 deny all;
278}</code></pre>
279<pre class="nginx"><code># /etc/nginx/php.conf
280location ~ (index)\.php$ {
281 # proxy PHP requests to PHP-FPM
282 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
283 fastcgi_index index.php;
284 include fastcgi.conf;
285}</code></pre>
286<pre class="nginx"><code># /etc/nginx/static_assets.conf
287location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
288 expires max;
289 add_header Pragma public;
290 add_header Cache-Control &quot;public, must-revalidate, proxy-revalidate&quot;;
291}</code></pre>
292<pre class="nginx"><code># /etc/nginx/nginx.conf
293[...][](.html)
294
295http {
296 [...][](.html)
297
298 root /home/john/web;
299 access_log /var/log/nginx/access.log;
300 error_log /var/log/nginx/error.log;
301
302 server {
303 # virtual host for a first domain
304 listen 80;
305 server_name my.first.domain.org;
306
307 location /shaarli/ {
308 access_log /var/log/nginx/shaarli.access.log;
309 error_log /var/log/nginx/shaarli.error.log;
310 }
311
312 include deny.conf;
313 include static_assets.conf;
314 include php.conf;
315 }
316
317 server {
318 # virtual host for a second domain
319 listen 80;
320 server_name second.domain.com;
321
322 location /minigal/ {
323 access_log /var/log/nginx/minigal.access.log;
324 error_log /var/log/nginx/minigal.error.log;
325 }
326
327 include deny.conf;
328 include static_assets.conf;
329 include php.conf;
330 }
331}</code></pre>
332<h3 id="redirect-http-to-https">Redirect HTTP to HTTPS</h3>
333<p>Assuming you have generated a (self-signed) key and certificate, and they are located under <code>/home/john/ssl/localhost.{key,crt}</code>, it is pretty straightforward to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.</p>
334<pre class="nginx"><code># /etc/nginx/nginx.conf
335[...][](.html)
336
337http {
338 [...][](.html)
339
340 index index.html index.php;
341
342 root /home/john/web;
343 access_log /var/log/nginx/access.log;
344 error_log /var/log/nginx/error.log;
345
346 server {
347 listen 80;
348 server_name localhost;
349
350 return 301 https://localhost$request_uri;
351 }
352
353 server {
354 listen 443 ssl;
355 server_name localhost;
356
357 ssl_certificate /home/john/ssl/localhost.crt;
358 ssl_certificate_key /home/john/ssl/localhost.key;
359
360 location /shaarli/ {
361 access_log /var/log/nginx/shaarli.access.log;
362 error_log /var/log/nginx/shaarli.error.log;
363 }
364
365 include deny.conf;
366 include static_assets.conf;
367 include php.conf;
368 }
369}</code></pre>
370</body>
371</html>