aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/md/Reverse-proxy.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/md/Reverse-proxy.md')
-rw-r--r--doc/md/Reverse-proxy.md35
1 files changed, 28 insertions, 7 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
index 77e4a04d..1c55430f 100644
--- a/doc/md/Reverse-proxy.md
+++ b/doc/md/Reverse-proxy.md
@@ -19,23 +19,38 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9
19 ServerName shaarli.mydomain.org 19 ServerName shaarli.mydomain.org
20 DocumentRoot /var/www/shaarli.mydomain.org/ 20 DocumentRoot /var/www/shaarli.mydomain.org/
21 21
22 # For SSL/TLS certificates acquired with certbot or self-signed certificates
22 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests 23 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
23 RewriteEngine on 24 RewriteEngine on
24 RewriteRule ^.well-known/acme-challenge/ - [L] 25 RewriteRule ^.well-known/acme-challenge/ - [L]
25 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org 26 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
26 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] 27 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
27 # If you are using mod_md, use this instead
28 #MDCertificateAgreement accepted
29 #MDContactEmail admin@shaarli.mydomain.org
30 #MDPrivateKeys RSA 4096
31</VirtualHost> 28</VirtualHost>
32 29
30# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
31#MDomain shaarli.mydomain.org
32#MDCertificateAgreement accepted
33#MDContactEmail admin@shaarli.mydomain.org
34#MDPrivateKeys RSA 4096
35
33<VirtualHost *:443> 36<VirtualHost *:443>
34 ServerName shaarli.mydomain.org 37 ServerName shaarli.mydomain.org
35 38
36 SSLEngine on 39 # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
37 SSLCertificateFile /path/to/certificate 40 SSLEngine on
38 SSLCertificateKeyFile /path/to/private/key 41 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
42 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
43 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
44 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
45 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
46 SSLHonorCipherOrder off
47 SSLSessionTickets off
48 SSLOptions +StrictRequire
49
50 # SSL/TLS configuration for self-signed certificates
51 #SSLEngine on
52 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
53 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
39 54
40 # let the proxied shaarli server/container know HTTPS URLs should be served 55 # let the proxied shaarli server/container know HTTPS URLs should be served
41 RequestHeader set X-Forwarded-Proto "https" 56 RequestHeader set X-Forwarded-Proto "https"
@@ -75,6 +90,7 @@ backend shaarli
75 server shaarli1 127.0.0.1:10080 90 server shaarli1 127.0.0.1:10080
76``` 91```
77 92
93- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
78 94
79## Nginx 95## Nginx
80 96
@@ -119,3 +135,8 @@ http {
119} 135}
120``` 136```
121 137
138## References
139
140- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
141- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
142- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)