diff options
author | nodiscc <nodiscc@gmail.com> | 2020-08-16 20:12:45 +0200 |
---|---|---|
committer | nodiscc <nodiscc@gmail.com> | 2020-09-12 14:31:45 +0200 |
commit | f682f1b899641cde2617e6c2185d439b91d4338f (patch) | |
tree | 84bdf1883107fa473d089987083e931b003b7722 /doc/md/Reverse-proxy.md | |
parent | 083b28021a34120778c203c85be6461a426cfa44 (diff) | |
download | Shaarli-f682f1b899641cde2617e6c2185d439b91d4338f.tar.gz Shaarli-f682f1b899641cde2617e6c2185d439b91d4338f.tar.zst Shaarli-f682f1b899641cde2617e6c2185d439b91d4338f.zip |
doc: serve configuration/reverse proxy: fix apache mod_md configuration, move reference links to their respective sections, shorten
Diffstat (limited to 'doc/md/Reverse-proxy.md')
-rw-r--r-- | doc/md/Reverse-proxy.md | 35 |
1 files changed, 28 insertions, 7 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md index 77e4a04d..1c55430f 100644 --- a/doc/md/Reverse-proxy.md +++ b/doc/md/Reverse-proxy.md | |||
@@ -19,23 +19,38 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9 | |||
19 | ServerName shaarli.mydomain.org | 19 | ServerName shaarli.mydomain.org |
20 | DocumentRoot /var/www/shaarli.mydomain.org/ | 20 | DocumentRoot /var/www/shaarli.mydomain.org/ |
21 | 21 | ||
22 | # For SSL/TLS certificates acquired with certbot or self-signed certificates | ||
22 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests | 23 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests |
23 | RewriteEngine on | 24 | RewriteEngine on |
24 | RewriteRule ^.well-known/acme-challenge/ - [L] | 25 | RewriteRule ^.well-known/acme-challenge/ - [L] |
25 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org | 26 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org |
26 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] | 27 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] |
27 | # If you are using mod_md, use this instead | ||
28 | #MDCertificateAgreement accepted | ||
29 | #MDContactEmail admin@shaarli.mydomain.org | ||
30 | #MDPrivateKeys RSA 4096 | ||
31 | </VirtualHost> | 28 | </VirtualHost> |
32 | 29 | ||
30 | # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md | ||
31 | #MDomain shaarli.mydomain.org | ||
32 | #MDCertificateAgreement accepted | ||
33 | #MDContactEmail admin@shaarli.mydomain.org | ||
34 | #MDPrivateKeys RSA 4096 | ||
35 | |||
33 | <VirtualHost *:443> | 36 | <VirtualHost *:443> |
34 | ServerName shaarli.mydomain.org | 37 | ServerName shaarli.mydomain.org |
35 | 38 | ||
36 | SSLEngine on | 39 | # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone |
37 | SSLCertificateFile /path/to/certificate | 40 | SSLEngine on |
38 | SSLCertificateKeyFile /path/to/private/key | 41 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem |
42 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | ||
43 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | ||
44 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
45 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
46 | SSLHonorCipherOrder off | ||
47 | SSLSessionTickets off | ||
48 | SSLOptions +StrictRequire | ||
49 | |||
50 | # SSL/TLS configuration for self-signed certificates | ||
51 | #SSLEngine on | ||
52 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
53 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | ||
39 | 54 | ||
40 | # let the proxied shaarli server/container know HTTPS URLs should be served | 55 | # let the proxied shaarli server/container know HTTPS URLs should be served |
41 | RequestHeader set X-Forwarded-Proto "https" | 56 | RequestHeader set X-Forwarded-Proto "https" |
@@ -75,6 +90,7 @@ backend shaarli | |||
75 | server shaarli1 127.0.0.1:10080 | 90 | server shaarli1 127.0.0.1:10080 |
76 | ``` | 91 | ``` |
77 | 92 | ||
93 | - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) | ||
78 | 94 | ||
79 | ## Nginx | 95 | ## Nginx |
80 | 96 | ||
@@ -119,3 +135,8 @@ http { | |||
119 | } | 135 | } |
120 | ``` | 136 | ``` |
121 | 137 | ||
138 | ## References | ||
139 | |||
140 | - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) | ||
141 | - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) | ||
142 | - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) | ||