1 files changed, 116 insertions, 0 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
new file mode 100644
index 00000000..2c1c601e
--- /dev/null
+++ b/doc/md/Reverse-proxy.md
@@ -0,0 +1,116 @@
+# Reverse proxy
+If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
+- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
+- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
+- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
+- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
+In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
+See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
+## Apache
+```apache
+<VirtualHost *:80>
+    ServerName shaarli.mydomain.org
+    # Redirect HTTP to HTTPS
+    Redirect permanent / https://shaarli.mydomain.org
+</VirtualHost>
+<VirtualHost *:443>
+    ServerName shaarli.mydomain.org
+    SSLEngine on
+    SSLCertificateFile    /path/to/certificate
+    SSLCertificateKeyFile /path/to/private/key
+    LogLevel warn
+    ErrorLog  /var/log/apache2/error.log
+    CustomLog /var/log/apache2/access.log combined
+    # let the proxied shaarli server/container know HTTPS URLs should be served
+    RequestHeader set X-Forwarded-Proto "https"
+    # send the original SERVER_NAME to the proxied host
+    ProxyPreserveHost On
+    
+    # pass requests to the proxied host
+    # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
+    ProxyPass        / http://127.0.0.1:10080/
+    ProxyPassReverse / http://127.0.0.1:10080/
+</VirtualHost>
+```
+## HAProxy
+```conf
+global
+    [...]
+defaults
+    [...]
+frontend http-in
+    bind :80
+    redirect scheme https code 301 if !{ ssl_fc }
+    bind :443 ssl crt /path/to/cert.pem
+    default_backend shaarli
+backend shaarli
+    mode http
+    option http-server-close
+    option forwardfor
+    reqadd X-Forwarded-Proto: https
+    server shaarli1 127.0.0.1:10080
+```
+## Nginx
+```nginx
+http {
+    [...]
+    index index.html index.php;
+    root        /home/john/web;
+    access_log  /var/log/nginx/access.log combined;
+    error_log   /var/log/nginx/error.log;
+    server {
+        listen       80;
+        server_name  shaarli.mydomain.org;
+        # redirect HTTP to HTTPS
+        return       301 https://shaarli.mydomain.org$request_uri;
+    }
+    server {
+        listen       443 ssl http2;
+        server_name  shaarli.mydomain.org;
+        ssl_certificate       /path/to/certificate
+        ssl_certificate_key   /path/to/private/key
+        location / {
+            proxy_set_header  X-Real-IP         $remote_addr;
+            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header  X-Forwarded-Proto $scheme;
+            proxy_set_header  X-Forwarded-Host  $host;
+            # pass requests to the proxied host
+            proxy_pass             http://localhost:10080/;
+            proxy_set_header Host  $host;
+            proxy_connect_timeout  30s;
+            proxy_read_timeout     120s;
+        }
+    }
+}
+```

diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md new file mode 100644 index 00000000..2c1c601e --- /dev/null +++ b/doc/md/Reverse-proxy.md
@@ -0,0 +1,116 @@
	1	# Reverse proxy
	2
	3	If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
	4
	5	- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
	6	- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
	7	- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
	8	- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
	9
	10	In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
	11
	12	See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
	13
	14
	15	## Apache
	16
	17	```apache
	18	<VirtualHost *:80>
	19	ServerName shaarli.mydomain.org
	20	# Redirect HTTP to HTTPS
	21	Redirect permanent / https://shaarli.mydomain.org
	22	</VirtualHost>
	23
	24	<VirtualHost *:443>
	25	ServerName shaarli.mydomain.org
	26
	27	SSLEngine on
	28	SSLCertificateFile /path/to/certificate
	29	SSLCertificateKeyFile /path/to/private/key
	30
	31	LogLevel warn
	32	ErrorLog /var/log/apache2/error.log
	33	CustomLog /var/log/apache2/access.log combined
	34
	35	# let the proxied shaarli server/container know HTTPS URLs should be served
	36	RequestHeader set X-Forwarded-Proto "https"
	37
	38	# send the original SERVER_NAME to the proxied host
	39	ProxyPreserveHost On
	40
	41	# pass requests to the proxied host
	42	# sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
	43	ProxyPass / http://127.0.0.1:10080/
	44	ProxyPassReverse / http://127.0.0.1:10080/
	45	</VirtualHost>
	46	```
	47
	48
	49	## HAProxy
	50
	51
	52	```conf
	53	global
	54	[...]
	55
	56	defaults
	57	[...]
	58
	59	frontend http-in
	60	bind :80
	61	redirect scheme https code 301 if !{ ssl_fc }
	62	bind :443 ssl crt /path/to/cert.pem
	63	default_backend shaarli
	64
	65	backend shaarli
	66	mode http
	67	option http-server-close
	68	option forwardfor
	69	reqadd X-Forwarded-Proto: https
	70	server shaarli1 127.0.0.1:10080
	71	```
	72
	73
	74	## Nginx
	75
	76
	77	```nginx
	78	http {
	79	[...]
	80
	81	index index.html index.php;
	82
	83	root /home/john/web;
	84	access_log /var/log/nginx/access.log combined;
	85	error_log /var/log/nginx/error.log;
	86
	87	server {
	88	listen 80;
	89	server_name shaarli.mydomain.org;
	90	# redirect HTTP to HTTPS
	91	return 301 https://shaarli.mydomain.org$request_uri;
	92	}
	93
	94	server {
	95	listen 443 ssl http2;
	96	server_name shaarli.mydomain.org;
	97
	98	ssl_certificate /path/to/certificate
	99	ssl_certificate_key /path/to/private/key
	100
	101	location / {
	102	proxy_set_header X-Real-IP $remote_addr;
	103	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	104	proxy_set_header X-Forwarded-Proto $scheme;
	105	proxy_set_header X-Forwarded-Host $host;
	106
	107	# pass requests to the proxied host
	108	proxy_pass http://localhost:10080/;
	109	proxy_set_header Host $host;
	110	proxy_connect_timeout 30s;
	111	proxy_read_timeout 120s;
	112	}
	113	}
	114	}
	115	```
	116