diff options
-rw-r--r-- | doc/md/Reverse-proxy.md | 35 | ||||
-rw-r--r-- | doc/md/Server-configuration.md | 78 |
2 files changed, 66 insertions, 47 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md index 77e4a04d..1c55430f 100644 --- a/doc/md/Reverse-proxy.md +++ b/doc/md/Reverse-proxy.md | |||
@@ -19,23 +19,38 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9 | |||
19 | ServerName shaarli.mydomain.org | 19 | ServerName shaarli.mydomain.org |
20 | DocumentRoot /var/www/shaarli.mydomain.org/ | 20 | DocumentRoot /var/www/shaarli.mydomain.org/ |
21 | 21 | ||
22 | # For SSL/TLS certificates acquired with certbot or self-signed certificates | ||
22 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests | 23 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests |
23 | RewriteEngine on | 24 | RewriteEngine on |
24 | RewriteRule ^.well-known/acme-challenge/ - [L] | 25 | RewriteRule ^.well-known/acme-challenge/ - [L] |
25 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org | 26 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org |
26 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] | 27 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] |
27 | # If you are using mod_md, use this instead | ||
28 | #MDCertificateAgreement accepted | ||
29 | #MDContactEmail admin@shaarli.mydomain.org | ||
30 | #MDPrivateKeys RSA 4096 | ||
31 | </VirtualHost> | 28 | </VirtualHost> |
32 | 29 | ||
30 | # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md | ||
31 | #MDomain shaarli.mydomain.org | ||
32 | #MDCertificateAgreement accepted | ||
33 | #MDContactEmail admin@shaarli.mydomain.org | ||
34 | #MDPrivateKeys RSA 4096 | ||
35 | |||
33 | <VirtualHost *:443> | 36 | <VirtualHost *:443> |
34 | ServerName shaarli.mydomain.org | 37 | ServerName shaarli.mydomain.org |
35 | 38 | ||
36 | SSLEngine on | 39 | # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone |
37 | SSLCertificateFile /path/to/certificate | 40 | SSLEngine on |
38 | SSLCertificateKeyFile /path/to/private/key | 41 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem |
42 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | ||
43 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | ||
44 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | ||
45 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
46 | SSLHonorCipherOrder off | ||
47 | SSLSessionTickets off | ||
48 | SSLOptions +StrictRequire | ||
49 | |||
50 | # SSL/TLS configuration for self-signed certificates | ||
51 | #SSLEngine on | ||
52 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
53 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | ||
39 | 54 | ||
40 | # let the proxied shaarli server/container know HTTPS URLs should be served | 55 | # let the proxied shaarli server/container know HTTPS URLs should be served |
41 | RequestHeader set X-Forwarded-Proto "https" | 56 | RequestHeader set X-Forwarded-Proto "https" |
@@ -75,6 +90,7 @@ backend shaarli | |||
75 | server shaarli1 127.0.0.1:10080 | 90 | server shaarli1 127.0.0.1:10080 |
76 | ``` | 91 | ``` |
77 | 92 | ||
93 | - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) | ||
78 | 94 | ||
79 | ## Nginx | 95 | ## Nginx |
80 | 96 | ||
@@ -119,3 +135,8 @@ http { | |||
119 | } | 135 | } |
120 | ``` | 136 | ``` |
121 | 137 | ||
138 | ## References | ||
139 | |||
140 | - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) | ||
141 | - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) | ||
142 | - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) | ||
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 3eeaad70..bad00ac5 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -4,12 +4,15 @@ | |||
4 | 4 | ||
5 | ### Operating system and web server | 5 | ### Operating system and web server |
6 | 6 | ||
7 | Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems. | 7 | Shaarli can be hosted on dedicated/virtual servers, or shared hosting. |
8 | 8 | ||
9 | You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts). | 9 | You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts). |
10 | 10 | ||
11 | Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution. | 11 | Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution. |
12 | 12 | ||
13 | A $5/month VPS (1 CPU, 1 GiB RAM and 25 GiB SSD) will run any Shaarli installation without problems. Some hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [4](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [5](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [6](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc. | ||
14 | |||
15 | |||
13 | ### Network and domain name | 16 | ### Network and domain name |
14 | 17 | ||
15 | Try to host the server in a region that is geographically close to your users. | 18 | Try to host the server in a region that is geographically close to your users. |
@@ -61,10 +64,16 @@ Extension | Required? | Usage | |||
61 | 64 | ||
62 | Some [plugins](Plugins.md) may require additional configuration. | 65 | Some [plugins](Plugins.md) may require additional configuration. |
63 | 66 | ||
67 | - [PHP: Supported versions](http://php.net/supported-versions.php) | ||
68 | - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php) | ||
69 | - [PHP 7 Changelog](http://php.net/ChangeLog-7.php) | ||
70 | - [PHP 5 Changelog](http://php.net/ChangeLog-5.php) | ||
71 | - [PHP: Bugs](https://bugs.php.net/) | ||
72 | |||
64 | 73 | ||
65 | ## SSL/TLS (HTTPS) | 74 | ## SSL/TLS (HTTPS) |
66 | 75 | ||
67 | We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. | 76 | We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) (SSL/[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)) on your webserver for secure communication between clients and the server. |
68 | 77 | ||
69 | ### Let's Encrypt | 78 | ### Let's Encrypt |
70 | 79 | ||
@@ -103,6 +112,8 @@ If you don't want to rely on a certificate authority, or the server can only be | |||
103 | 112 | ||
104 | - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) | 113 | - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) |
105 | - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10) | 114 | - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10) |
115 | - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) | ||
116 | - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) | ||
106 | 117 | ||
107 | -------------------------------------------------------------------------------- | 118 | -------------------------------------------------------------------------------- |
108 | 119 | ||
@@ -134,17 +145,20 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf | |||
134 | ServerName shaarli.mydomain.org | 145 | ServerName shaarli.mydomain.org |
135 | DocumentRoot /var/www/shaarli.mydomain.org/ | 146 | DocumentRoot /var/www/shaarli.mydomain.org/ |
136 | 147 | ||
148 | # For SSL/TLS certificates acquired with certbot or self-signed certificates | ||
137 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests | 149 | # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests |
138 | RewriteEngine on | 150 | RewriteEngine on |
139 | RewriteRule ^.well-known/acme-challenge/ - [L] | 151 | RewriteRule ^.well-known/acme-challenge/ - [L] |
140 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org | 152 | RewriteCond %{HTTP_HOST} =shaarli.mydomain.org |
141 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] | 153 | RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] |
142 | # If you are using mod_md, use this instead | ||
143 | #MDCertificateAgreement accepted | ||
144 | #MDContactEmail admin@shaarli.mydomain.org | ||
145 | #MDPrivateKeys RSA 4096 | ||
146 | </VirtualHost> | 154 | </VirtualHost> |
147 | 155 | ||
156 | # SSL/TLS configuration for Let's Encrypt certificates managed with mod_md | ||
157 | #MDomain shaarli.mydomain.org | ||
158 | #MDCertificateAgreement accepted | ||
159 | #MDContactEmail admin@shaarli.mydomain.org | ||
160 | #MDPrivateKeys RSA 4096 | ||
161 | |||
148 | <VirtualHost *:443> | 162 | <VirtualHost *:443> |
149 | ServerName shaarli.mydomain.org | 163 | ServerName shaarli.mydomain.org |
150 | DocumentRoot /var/www/shaarli.mydomain.org/ | 164 | DocumentRoot /var/www/shaarli.mydomain.org/ |
@@ -160,10 +174,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf | |||
160 | SSLSessionTickets off | 174 | SSLSessionTickets off |
161 | SSLOptions +StrictRequire | 175 | SSLOptions +StrictRequire |
162 | 176 | ||
163 | # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md | 177 | # SSL/TLS configuration for self-signed certificates |
164 | #MDomain shaarli.mydomain.org | ||
165 | |||
166 | # SSL/TLS configuration (for self-signed certificates) | ||
167 | #SSLEngine on | 178 | #SSLEngine on |
168 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | 179 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
169 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | 180 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
@@ -219,7 +230,13 @@ sudo a2enmod headers | |||
219 | sudo systemctl restart apache2 | 230 | sudo systemctl restart apache2 |
220 | ``` | 231 | ``` |
221 | 232 | ||
222 | See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide. | 233 | - [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) |
234 | - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176) | ||
235 | - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) | ||
236 | - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) | ||
237 | - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/) | ||
238 | - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) | ||
239 | - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers) | ||
223 | 240 | ||
224 | 241 | ||
225 | ### Nginx | 242 | ### Nginx |
@@ -326,7 +343,14 @@ sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enab | |||
326 | sudo systemctl reload nginx | 343 | sudo systemctl reload nginx |
327 | ``` | 344 | ``` |
328 | 345 | ||
329 | See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide. | 346 | - [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) |
347 | - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) | ||
348 | - [Nginx documentation](https://nginx.org/en/docs/) | ||
349 | - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) | ||
350 | - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls) | ||
351 | - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/) | ||
352 | - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) | ||
353 | |||
330 | 354 | ||
331 | 355 | ||
332 | ## Reverse proxies | 356 | ## Reverse proxies |
@@ -413,33 +437,7 @@ bantime = -1 | |||
413 | 437 | ||
414 | Then restart the service: `sudo systemctl restart fail2ban` | 438 | Then restart the service: `sudo systemctl restart fail2ban` |
415 | 439 | ||
416 | #### References | ||
417 | |||
418 | - [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176) | ||
419 | - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) | ||
420 | - [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) | ||
421 | - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) | ||
422 | - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) | ||
423 | - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls) | ||
424 | - [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/) | ||
425 | - [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/) | ||
426 | - [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) | ||
427 | - [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers) | ||
428 | - [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/) | ||
429 | - [Nginx documentation](https://nginx.org/en/docs/) | ||
430 | - [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) | ||
431 | - [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) | ||
432 | - [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) | ||
433 | - [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) | ||
434 | - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) | ||
435 | - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) | ||
436 | - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml) | ||
437 | - [PHP: Supported versions](http://php.net/supported-versions.php) | ||
438 | - [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php) | ||
439 | - [PHP 7 Changelog](http://php.net/ChangeLog-7.php) | ||
440 | - [PHP 5 Changelog](http://php.net/ChangeLog-5.php) | ||
441 | - [PHP: Bugs](https://bugs.php.net/) | ||
442 | - [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) | ||
443 | - Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc. | ||
444 | 440 | ||
441 | ## What next? | ||
445 | 442 | ||
443 | [Shaarli installation](Installation.md) | ||