aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc/md/Server-configuration.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/md/Server-configuration.md')
-rw-r--r--doc/md/Server-configuration.md211
1 files changed, 119 insertions, 92 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index 25dd49fe..ca82b2ec 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -1,139 +1,130 @@
1*Example virtual host configurations for popular web servers*
2 1
2- [Prerequisites](#prerequisistes)
3- [Apache](#apache) 3- [Apache](#apache)
4- [Nginx](#nginx) 4- [Nginx](#nginx)
5- [Proxies](#proxies)
6- [See also](#see-also)
5 7
6## Prerequisites 8## Prerequisites
7### Shaarli 9### Shaarli
8- Shaarli is installed in a directory readable/writeable by the user
9- the correct read/write permissions have been granted to the web server _user and/or group_
10- for HTTPS / SSL:
11 - a key pair (public, private) and a certificate have been generated
12 - the appropriate server SSL extension is installed and active
13 10
14### HTTPS, TLS and self-signed certificates 11- A web server and PHP interpreter module/service have been installed.
15Related guides: 12- You have write access to the Shaarli installation directory.
13- The correct read/write permissions have been granted to the web server user and group.
14- Your PHP interpreter is compatible with supported PHP versions:
16 15
17- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) 16Version | Status | Shaarli compatibility
18- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) 17:---:|:---:|:---:
19- Generate a self-signed certificate (will trigger browser warnings) with apache2: 187.2 | Supported | Yes
20 `make-ssl-cert generate-default-snakeoil --force-overwrite` will create `/etc/ssl/certs/ssl-cert-snakeoil.pem` and `/etc/ssl/private/ssl-cert-snakeoil.key` 197.1 | Supported | Yes
207.0 | Supported | Yes
215.6 | Supported | Yes
225.5 | EOL: 2016-07-10 | Yes
235.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x)
245.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x)
21 25
22### Proxies 26- The following PHP extensions are installed on the server:
23If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set:
24 27
25- `X-Forwarded-Proto` 28Extension | Required? | Usage
26- `X-Forwarded-Host` 29---|:---:|---
27- `X-Forwarded-For` 30[`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS
31[`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support
32[`php-gd`](http://php.net/manual/en/book.image.php) | optional | thumbnail resizing
33[`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`)
34[`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way
35[`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster)
28 36
29See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. 37--------------------------------------------------------------------------------
30 38
31## Apache 39### SSL/TLS configuration
32### Minimal
33```apache
34<VirtualHost *:80>
35 ServerName shaarli.my-domain.org
36 DocumentRoot /absolute/path/to/shaarli/
37</VirtualHost>
38```
39### Debug - Log all the things!
40This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.
41 40
42See: 41To setup HTTPS / SSL on your webserver (recommended), you must generate a public/private **key pair** and a **certificate**, and install, configure and activate the appropriate **webserver SSL extension**.
43 42
44- [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow) 43#### Let's Encrypt
45- [PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
46 44
47```apache 45[Let's Encrypt](https://en.wikipedia.org/wiki/Let%27s_Encrypt) is a certificate authority that provides free TLS/X.509 certificates via an automated process.
48<VirtualHost *:80>
49 ServerName shaarli.my-domain.org
50 DocumentRoot /absolute/path/to/shaarli/
51 46
52 LogLevel warn 47 * Install `certbot` using the appropriate method described on https://certbot.eff.org/.
53 ErrorLog /var/log/apache2/shaarli-error.log 48
54 CustomLog /var/log/apache2/shaarli-access.log combined 49Location of the `certbot` program and template configuration files may vary depending on which installation method was used. Change the file paths below accordingly. Here is an easy way to create a signed certificate using `certbot`, it assumes `certbot` was installed through APT on a Debian-based distribution:
55 50
56 php_flag log_errors on 51 * Stop the apache2/nginx service.
57 php_flag display_errors on 52 * Run `certbot --agree-tos --standalone --preferred-challenges tls-sni --email "youremail@example.com" --domain yourdomain.example.com`
58 php_value error_reporting 2147483647 53 * For the Apache webserver, copy `/usr/lib/python2.7/dist-packages/certbot_apache/options-ssl-apache.conf` to `/etc/letsencrypt/options-ssl-apache.conf` (paths may vary depending on installation method)
59 php_value error_log /var/log/apache2/shaarli-php-error.log 54 * For Nginx: TODO
60</VirtualHost> 55 * Setup your webserver as described below
61``` 56 * Restart the apache2/nginx service.
57
58#### Self-signed certificates
59
60If you don't want to request a certificate from Let's Encrypt, or are unable to (for example, webserver on a LAN, or domain name not registered in the public DNS system), you can generate a self-signed certificate. This certificate will trigger security warnings in web browsers, unless you add it to the browser's SSL store manually.
61
62* Apache: run `make-ssl-cert generate-default-snakeoil --force-overwrite`
63* Nginx: TODO
64
65--------------------------------------------------------------------------------
66
67## Apache
68
69Here is a basic configuration example for the Apache web server with `mod_php`.
70
71In `/etc/apache2/sites-available/shaarli.conf`:
62 72
63### Standard - Keep access and error logs
64```apache 73```apache
65<VirtualHost *:80> 74<VirtualHost *:443>
66 ServerName shaarli.my-domain.org 75 ServerName shaarli.my-domain.org
67 DocumentRoot /absolute/path/to/shaarli/ 76 DocumentRoot /absolute/path/to/shaarli/
68 77
78 # Logging
79 # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
69 LogLevel warn 80 LogLevel warn
70 ErrorLog /var/log/apache2/shaarli-error.log 81 ErrorLog /var/log/apache2/shaarli-error.log
71 CustomLog /var/log/apache2/shaarli-access.log combined 82 CustomLog /var/log/apache2/shaarli-access.log combined
72</VirtualHost>
73```
74 83
75### Paranoid - Redirect HTTP (:80) to HTTPS (:443) 84 # Let's Encrypt SSL configuration (recommended)
76See [Server-side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla). 85 SSLEngine on
86 SSLCertificateFile /etc/letsencrypt/live/yourdomain.example.com/fullchain.pem
87 SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.example.com/privkey.pem
88 Include /etc/letsencrypt/options-ssl-apache.conf
77 89
78```apache 90 # Self-signed SSL cert configuration
79<VirtualHost *:443> 91 #SSLEngine on
80 ServerName shaarli.my-domain.org 92 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
81 DocumentRoot /absolute/path/to/shaarli/ 93 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
82 94
83 SSLEngine on 95 # Optional, log PHP errors, useful for debugging
84 SSLCertificateFile /absolute/path/to/the/website/certificate.pem 96 #php_flag log_errors on
85 SSLCertificateKeyFile /absolute/path/to/the/website/key.key 97 #php_flag display_errors on
98 #php_value error_reporting 2147483647
99 #php_value error_log /var/log/apache2/shaarli-php-error.log
86 100
87 <Directory /absolute/path/to/shaarli/> 101 <Directory /absolute/path/to/shaarli/>
102 #Required for .htaccess support
88 AllowOverride All 103 AllowOverride All
89 Options Indexes FollowSymLinks MultiViews
90 Order allow,deny 104 Order allow,deny
91 allow from all 105 Allow from all
92 </Directory>
93 106
94 LogLevel warn 107 Options Indexes FollowSymLinks MultiViews #TODO is Indexes/Multiviews required?
95 ErrorLog /var/log/apache2/shaarli-error.log 108
96 CustomLog /var/log/apache2/shaarli-access.log combined 109 # Optional - required for playvideos plugin
97</VirtualHost> 110 #Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'"
98<VirtualHost *:80> 111 </Directory>
99 ServerName shaarli.my-domain.org
100 Redirect 301 / https://shaarli.my-domain.org
101 112
102 LogLevel warn
103 ErrorLog /var/log/apache2/shaarli-error.log
104 CustomLog /var/log/apache2/shaarli-access.log combined
105</VirtualHost> 113</VirtualHost>
106``` 114```
107 115
108### .htaccess 116Enable this configuration with `sudo a2ensite shaarli`
109 117
110Shaarli use `.htaccess` Apache files to deny access to files that shouldn't be directly accessed (datastore, config, etc.). You need the directive `AllowOverride All` in your virtual host configuration for them to work. 118_Note: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled._
111 119
112**Warning**: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled. 120_Note: Apache module `mod_rewrite` must be enabled to use the REST API._
113
114Apache module `mod_rewrite` **must** be enabled to use the REST API. URL rewriting rules for the Slim microframework are stated in the root `.htaccess` file.
115 121
116## LightHttpd
117 122
118## Nginx 123## Nginx
119### Foreword
120Nginx does not natively interpret PHP scripts; to this effect, we will run a [FastCGI](https://en.wikipedia.org/wiki/FastCGI) service, to which Nginx's FastCGI module will proxy all requests to PHP resources.
121
122Required packages:
123 124
124- [nginx](http://nginx.org) 125Here is a basic configuration example for the Nginx web server, using the [php-fpm](http://php-fpm.org) PHP FastCGI Process Manager, and Nginx's [FastCGI](https://en.wikipedia.org/wiki/FastCGI) module.
125- [php-fpm](http://php-fpm.org) - PHP FastCGI Process Manager
126 126
127Official documentation: 127<!--- TODO refactor everything below this point --->
128
129- [Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
130- [ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
131- [Pitfalls](http://wiki.nginx.org/Pitfalls)
132
133Community resources:
134
135- [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla)
136- [PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing)
137 128
138### Common setup 129### Common setup
139Once Nginx and PHP-FPM are installed, we need to ensure: 130Once Nginx and PHP-FPM are installed, we need to ensure:
@@ -404,3 +395,39 @@ http {
404 } 395 }
405} 396}
406``` 397```
398
399## Proxies
400If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set:
401
402- `X-Forwarded-Proto`
403- `X-Forwarded-Host`
404- `X-Forwarded-For`
405
406See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues.
407
408
409## See also
410
411 * [Server security](Server-security.md)
412
413#### Webservers
414
415- [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow)
416- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
417- [Server-side TLS (Apache)](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla)
418- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
419- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
420- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
421- [Nginx PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing)
422- [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla)
423- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
424- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
425
426#### PHP
427
428- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
429- [PHP: Supported versions](http://php.net/supported-versions.php)
430- [PHP: Unsupported versions](http://php.net/eol.php) _(EOL - End Of Life)_
431- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
432- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
433- [PHP: Bugs](https://bugs.php.net/)