1 files changed, 141 insertions, 0 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
new file mode 100644
index 00000000..b7e347d5
--- /dev/null
+++ b/doc/md/Reverse-proxy.md
@@ -0,0 +1,141 @@
+# Reverse proxy
+If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
+- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
+- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
+- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
+- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
+In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
+See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
+## Apache
+```apache
+<VirtualHost *:80>
+    ServerName shaarli.mydomain.org
+    # For SSL/TLS certificates acquired with certbot or self-signed certificates
+    # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
+    RewriteEngine on
+    RewriteRule ^.well-known/acme-challenge/ - [L]
+    RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
+    RewriteRule  ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
+#MDomain shaarli.mydomain.org
+#MDCertificateAgreement accepted
+#MDContactEmail admin@shaarli.mydomain.org
+#MDPrivateKeys RSA 4096
+<VirtualHost *:443>
+    ServerName shaarli.mydomain.org
+    # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
+    SSLEngine             on
+    SSLCertificateFile    /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
+    # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+    SSLOptions +StrictRequire
+    # SSL/TLS configuration for self-signed certificates
+    #SSLEngine             on
+    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+    # let the proxied shaarli server/container know HTTPS URLs should be served
+    RequestHeader set X-Forwarded-Proto "https"
+    # send the original SERVER_NAME to the proxied host
+    ProxyPreserveHost On
+    
+    # pass requests to the proxied host
+    # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
+    ProxyPass        / http://127.0.0.1:10080/
+    ProxyPassReverse / http://127.0.0.1:10080/
+</VirtualHost>
+```
+## HAProxy
+```conf
+global
+    [...]
+defaults
+    [...]
+frontend http-in
+    bind :80
+    redirect scheme https code 301 if !{ ssl_fc }
+    bind :443 ssl crt /path/to/cert.pem
+    default_backend shaarli
+backend shaarli
+    mode http
+    option http-server-close
+    option forwardfor
+    reqadd X-Forwarded-Proto: https
+    server shaarli1 127.0.0.1:10080
+```
+- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
+## Nginx
+```nginx
+http {
+    [...]
+    index index.html index.php;
+    root        /home/john/web;
+    access_log  /var/log/nginx/access.log combined;
+    error_log   /var/log/nginx/error.log;
+    server {
+        listen       80;
+        server_name  shaarli.mydomain.org;
+        # redirect HTTP to HTTPS
+        return       301 https://shaarli.mydomain.org$request_uri;
+    }
+    server {
+        listen       443 ssl http2;
+        server_name  shaarli.mydomain.org;
+        ssl_certificate       /path/to/certificate
+        ssl_certificate_key   /path/to/private/key
+        location / {
+            proxy_set_header  X-Real-IP         $remote_addr;
+            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header  X-Forwarded-Proto $scheme;
+            proxy_set_header  X-Forwarded-Host  $host;
+            # pass requests to the proxied host
+            proxy_pass             http://localhost:10080/;
+            proxy_set_header Host  $host;
+            proxy_connect_timeout  30s;
+            proxy_read_timeout     120s;
+        }
+    }
+}
+```
+## References
+- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
+- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
+- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md new file mode 100644 index 00000000..b7e347d5 --- /dev/null +++ b/doc/md/Reverse-proxy.md
@@ -0,0 +1,141 @@
	1	# Reverse proxy
	2
	3	If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
	4
	5	- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
	6	- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
	7	- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
	8	- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
	9
	10	In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
	11
	12	See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
	13
	14
	15	## Apache
	16
	17	```apache
	18	<VirtualHost *:80>
	19	ServerName shaarli.mydomain.org
	20
	21	# For SSL/TLS certificates acquired with certbot or self-signed certificates
	22	# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
	23	RewriteEngine on
	24	RewriteRule ^.well-known/acme-challenge/ - [L]
	25	RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
	26	RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
	27	</VirtualHost>
	28
	29	# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
	30	#MDomain shaarli.mydomain.org
	31	#MDCertificateAgreement accepted
	32	#MDContactEmail admin@shaarli.mydomain.org
	33	#MDPrivateKeys RSA 4096
	34
	35	<VirtualHost *:443>
	36	ServerName shaarli.mydomain.org
	37
	38	# SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
	39	SSLEngine on
	40	SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
	41	SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
	42	# Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
	43	SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	44	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	45	SSLHonorCipherOrder off
	46	SSLSessionTickets off
	47	SSLOptions +StrictRequire
	48
	49	# SSL/TLS configuration for self-signed certificates
	50	#SSLEngine on
	51	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	52	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	53
	54	# let the proxied shaarli server/container know HTTPS URLs should be served
	55	RequestHeader set X-Forwarded-Proto "https"
	56
	57	# send the original SERVER_NAME to the proxied host
	58	ProxyPreserveHost On
	59
	60	# pass requests to the proxied host
	61	# sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
	62	ProxyPass / http://127.0.0.1:10080/
	63	ProxyPassReverse / http://127.0.0.1:10080/
	64	</VirtualHost>
	65	```
	66
	67
	68	## HAProxy
	69
	70
	71	```conf
	72	global
	73	[...]
	74
	75	defaults
	76	[...]
	77
	78	frontend http-in
	79	bind :80
	80	redirect scheme https code 301 if !{ ssl_fc }
	81	bind :443 ssl crt /path/to/cert.pem
	82	default_backend shaarli
	83
	84	backend shaarli
	85	mode http
	86	option http-server-close
	87	option forwardfor
	88	reqadd X-Forwarded-Proto: https
	89	server shaarli1 127.0.0.1:10080
	90	```
	91
	92	- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
	93
	94	## Nginx
	95
	96
	97	```nginx
	98	http {
	99	[...]
	100
	101	index index.html index.php;
	102
	103	root /home/john/web;
	104	access_log /var/log/nginx/access.log combined;
	105	error_log /var/log/nginx/error.log;
	106
	107	server {
	108	listen 80;
	109	server_name shaarli.mydomain.org;
	110	# redirect HTTP to HTTPS
	111	return 301 https://shaarli.mydomain.org$request_uri;
	112	}
	113
	114	server {
	115	listen 443 ssl http2;
	116	server_name shaarli.mydomain.org;
	117
	118	ssl_certificate /path/to/certificate
	119	ssl_certificate_key /path/to/private/key
	120
	121	location / {
	122	proxy_set_header X-Real-IP $remote_addr;
	123	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	124	proxy_set_header X-Forwarded-Proto $scheme;
	125	proxy_set_header X-Forwarded-Host $host;
	126
	127	# pass requests to the proxied host
	128	proxy_pass http://localhost:10080/;
	129	proxy_set_header Host $host;
	130	proxy_connect_timeout 30s;
	131	proxy_read_timeout 120s;
	132	}
	133	}
	134	}
	135	```
	136
	137	## References
	138
	139	- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
	140	- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
	141	- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)