aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/md/Reverse-proxy.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/md/Reverse-proxy.md')
-rw-r--r--doc/md/Reverse-proxy.md116
1 files changed, 116 insertions, 0 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
new file mode 100644
index 00000000..2c1c601e
--- /dev/null
+++ b/doc/md/Reverse-proxy.md
@@ -0,0 +1,116 @@
1# Reverse proxy
2
3If Shaarli is hosted on a server behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See [Reverse proxy](Reverse-proxy.md) configuration. In this example:
4
5- The Shaarli application server exposes port `10080` to the proxy (for example docker container started with `--publish 127.0.0.1:10080:80`).
6- The Shaarli application server runs at `127.0.0.1` (container). Replace with the server's IP address if running on a different machine.
7- Shaarli's Fully Qualified Domain Name (FQDN) is `shaarli.mydomain.org`.
8- No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.
9
10In your [Shaarli configuration](Shaarli-configuration) `data/config.json.php`, add the public IP of your proxy under `security.trusted_proxies`.
11
12See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
13
14
15## Apache
16
17```apache
18<VirtualHost *:80>
19 ServerName shaarli.mydomain.org
20 # Redirect HTTP to HTTPS
21 Redirect permanent / https://shaarli.mydomain.org
22</VirtualHost>
23
24<VirtualHost *:443>
25 ServerName shaarli.mydomain.org
26
27 SSLEngine on
28 SSLCertificateFile /path/to/certificate
29 SSLCertificateKeyFile /path/to/private/key
30
31 LogLevel warn
32 ErrorLog /var/log/apache2/error.log
33 CustomLog /var/log/apache2/access.log combined
34
35 # let the proxied shaarli server/container know HTTPS URLs should be served
36 RequestHeader set X-Forwarded-Proto "https"
37
38 # send the original SERVER_NAME to the proxied host
39 ProxyPreserveHost On
40
41 # pass requests to the proxied host
42 # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
43 ProxyPass / http://127.0.0.1:10080/
44 ProxyPassReverse / http://127.0.0.1:10080/
45</VirtualHost>
46```
47
48
49## HAProxy
50
51
52```conf
53global
54 [...]
55
56defaults
57 [...]
58
59frontend http-in
60 bind :80
61 redirect scheme https code 301 if !{ ssl_fc }
62 bind :443 ssl crt /path/to/cert.pem
63 default_backend shaarli
64
65backend shaarli
66 mode http
67 option http-server-close
68 option forwardfor
69 reqadd X-Forwarded-Proto: https
70 server shaarli1 127.0.0.1:10080
71```
72
73
74## Nginx
75
76
77```nginx
78http {
79 [...]
80
81 index index.html index.php;
82
83 root /home/john/web;
84 access_log /var/log/nginx/access.log combined;
85 error_log /var/log/nginx/error.log;
86
87 server {
88 listen 80;
89 server_name shaarli.mydomain.org;
90 # redirect HTTP to HTTPS
91 return 301 https://shaarli.mydomain.org$request_uri;
92 }
93
94 server {
95 listen 443 ssl http2;
96 server_name shaarli.mydomain.org;
97
98 ssl_certificate /path/to/certificate
99 ssl_certificate_key /path/to/private/key
100
101 location / {
102 proxy_set_header X-Real-IP $remote_addr;
103 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
104 proxy_set_header X-Forwarded-Proto $scheme;
105 proxy_set_header X-Forwarded-Host $host;
106
107 # pass requests to the proxied host
108 proxy_pass http://localhost:10080/;
109 proxy_set_header Host $host;
110 proxy_connect_timeout 30s;
111 proxy_read_timeout 120s;
112 }
113 }
114}
115```
116