diff options
Diffstat (limited to 'doc/md/Server-configuration.md')
-rw-r--r-- | doc/md/Server-configuration.md | 211 |
1 files changed, 119 insertions, 92 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 25dd49fe..ca82b2ec 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -1,139 +1,130 @@ | |||
1 | *Example virtual host configurations for popular web servers* | ||
2 | 1 | ||
2 | - [Prerequisites](#prerequisistes) | ||
3 | - [Apache](#apache) | 3 | - [Apache](#apache) |
4 | - [Nginx](#nginx) | 4 | - [Nginx](#nginx) |
5 | - [Proxies](#proxies) | ||
6 | - [See also](#see-also) | ||
5 | 7 | ||
6 | ## Prerequisites | 8 | ## Prerequisites |
7 | ### Shaarli | 9 | ### Shaarli |
8 | - Shaarli is installed in a directory readable/writeable by the user | ||
9 | - the correct read/write permissions have been granted to the web server _user and/or group_ | ||
10 | - for HTTPS / SSL: | ||
11 | - a key pair (public, private) and a certificate have been generated | ||
12 | - the appropriate server SSL extension is installed and active | ||
13 | 10 | ||
14 | ### HTTPS, TLS and self-signed certificates | 11 | - A web server and PHP interpreter module/service have been installed. |
15 | Related guides: | 12 | - You have write access to the Shaarli installation directory. |
13 | - The correct read/write permissions have been granted to the web server user and group. | ||
14 | - Your PHP interpreter is compatible with supported PHP versions: | ||
16 | 15 | ||
17 | - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) | 16 | Version | Status | Shaarli compatibility |
18 | - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) | 17 | :---:|:---:|:---: |
19 | - Generate a self-signed certificate (will trigger browser warnings) with apache2: | 18 | 7.2 | Supported | Yes |
20 | `make-ssl-cert generate-default-snakeoil --force-overwrite` will create `/etc/ssl/certs/ssl-cert-snakeoil.pem` and `/etc/ssl/private/ssl-cert-snakeoil.key` | 19 | 7.1 | Supported | Yes |
20 | 7.0 | Supported | Yes | ||
21 | 5.6 | Supported | Yes | ||
22 | 5.5 | EOL: 2016-07-10 | Yes | ||
23 | 5.4 | EOL: 2015-09-14 | Yes (up to Shaarli 0.8.x) | ||
24 | 5.3 | EOL: 2014-08-14 | Yes (up to Shaarli 0.8.x) | ||
21 | 25 | ||
22 | ### Proxies | 26 | - The following PHP extensions are installed on the server: |
23 | If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set: | ||
24 | 27 | ||
25 | - `X-Forwarded-Proto` | 28 | Extension | Required? | Usage |
26 | - `X-Forwarded-Host` | 29 | ---|:---:|--- |
27 | - `X-Forwarded-For` | 30 | [`openssl`](http://php.net/manual/en/book.openssl.php) | All | OpenSSL, HTTPS |
31 | [`php-mbstring`](http://php.net/manual/en/book.mbstring.php) | CentOS, Fedora, RHEL, Windows, some hosting providers | multibyte (Unicode) string support | ||
32 | [`php-gd`](http://php.net/manual/en/book.image.php) | optional | thumbnail resizing | ||
33 | [`php-intl`](http://php.net/manual/en/book.intl.php) | optional | localized text sorting (e.g. `e->รจ->f`) | ||
34 | [`php-curl`](http://php.net/manual/en/book.curl.php) | optional | using cURL for fetching webpages and thumbnails in a more robust way | ||
35 | [`php-gettext`](http://php.net/manual/en/book.gettext.php) | optional | Use the translation system in gettext mode (faster) | ||
28 | 36 | ||
29 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. | 37 | -------------------------------------------------------------------------------- |
30 | 38 | ||
31 | ## Apache | 39 | ### SSL/TLS configuration |
32 | ### Minimal | ||
33 | ```apache | ||
34 | <VirtualHost *:80> | ||
35 | ServerName shaarli.my-domain.org | ||
36 | DocumentRoot /absolute/path/to/shaarli/ | ||
37 | </VirtualHost> | ||
38 | ``` | ||
39 | ### Debug - Log all the things! | ||
40 | This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors. | ||
41 | 40 | ||
42 | See: | 41 | To setup HTTPS / SSL on your webserver (recommended), you must generate a public/private **key pair** and a **certificate**, and install, configure and activate the appropriate **webserver SSL extension**. |
43 | 42 | ||
44 | - [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow) | 43 | #### Let's Encrypt |
45 | - [PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) | ||
46 | 44 | ||
47 | ```apache | 45 | [Let's Encrypt](https://en.wikipedia.org/wiki/Let%27s_Encrypt) is a certificate authority that provides free TLS/X.509 certificates via an automated process. |
48 | <VirtualHost *:80> | ||
49 | ServerName shaarli.my-domain.org | ||
50 | DocumentRoot /absolute/path/to/shaarli/ | ||
51 | 46 | ||
52 | LogLevel warn | 47 | * Install `certbot` using the appropriate method described on https://certbot.eff.org/. |
53 | ErrorLog /var/log/apache2/shaarli-error.log | 48 | |
54 | CustomLog /var/log/apache2/shaarli-access.log combined | 49 | Location of the `certbot` program and template configuration files may vary depending on which installation method was used. Change the file paths below accordingly. Here is an easy way to create a signed certificate using `certbot`, it assumes `certbot` was installed through APT on a Debian-based distribution: |
55 | 50 | ||
56 | php_flag log_errors on | 51 | * Stop the apache2/nginx service. |
57 | php_flag display_errors on | 52 | * Run `certbot --agree-tos --standalone --preferred-challenges tls-sni --email "youremail@example.com" --domain yourdomain.example.com` |
58 | php_value error_reporting 2147483647 | 53 | * For the Apache webserver, copy `/usr/lib/python2.7/dist-packages/certbot_apache/options-ssl-apache.conf` to `/etc/letsencrypt/options-ssl-apache.conf` (paths may vary depending on installation method) |
59 | php_value error_log /var/log/apache2/shaarli-php-error.log | 54 | * For Nginx: TODO |
60 | </VirtualHost> | 55 | * Setup your webserver as described below |
61 | ``` | 56 | * Restart the apache2/nginx service. |
57 | |||
58 | #### Self-signed certificates | ||
59 | |||
60 | If you don't want to request a certificate from Let's Encrypt, or are unable to (for example, webserver on a LAN, or domain name not registered in the public DNS system), you can generate a self-signed certificate. This certificate will trigger security warnings in web browsers, unless you add it to the browser's SSL store manually. | ||
61 | |||
62 | * Apache: run `make-ssl-cert generate-default-snakeoil --force-overwrite` | ||
63 | * Nginx: TODO | ||
64 | |||
65 | -------------------------------------------------------------------------------- | ||
66 | |||
67 | ## Apache | ||
68 | |||
69 | Here is a basic configuration example for the Apache web server with `mod_php`. | ||
70 | |||
71 | In `/etc/apache2/sites-available/shaarli.conf`: | ||
62 | 72 | ||
63 | ### Standard - Keep access and error logs | ||
64 | ```apache | 73 | ```apache |
65 | <VirtualHost *:80> | 74 | <VirtualHost *:443> |
66 | ServerName shaarli.my-domain.org | 75 | ServerName shaarli.my-domain.org |
67 | DocumentRoot /absolute/path/to/shaarli/ | 76 | DocumentRoot /absolute/path/to/shaarli/ |
68 | 77 | ||
78 | # Logging | ||
79 | # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. | ||
69 | LogLevel warn | 80 | LogLevel warn |
70 | ErrorLog /var/log/apache2/shaarli-error.log | 81 | ErrorLog /var/log/apache2/shaarli-error.log |
71 | CustomLog /var/log/apache2/shaarli-access.log combined | 82 | CustomLog /var/log/apache2/shaarli-access.log combined |
72 | </VirtualHost> | ||
73 | ``` | ||
74 | 83 | ||
75 | ### Paranoid - Redirect HTTP (:80) to HTTPS (:443) | 84 | # Let's Encrypt SSL configuration (recommended) |
76 | See [Server-side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla). | 85 | SSLEngine on |
86 | SSLCertificateFile /etc/letsencrypt/live/yourdomain.example.com/fullchain.pem | ||
87 | SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.example.com/privkey.pem | ||
88 | Include /etc/letsencrypt/options-ssl-apache.conf | ||
77 | 89 | ||
78 | ```apache | 90 | # Self-signed SSL cert configuration |
79 | <VirtualHost *:443> | 91 | #SSLEngine on |
80 | ServerName shaarli.my-domain.org | 92 | #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
81 | DocumentRoot /absolute/path/to/shaarli/ | 93 | #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
82 | 94 | ||
83 | SSLEngine on | 95 | # Optional, log PHP errors, useful for debugging |
84 | SSLCertificateFile /absolute/path/to/the/website/certificate.pem | 96 | #php_flag log_errors on |
85 | SSLCertificateKeyFile /absolute/path/to/the/website/key.key | 97 | #php_flag display_errors on |
98 | #php_value error_reporting 2147483647 | ||
99 | #php_value error_log /var/log/apache2/shaarli-php-error.log | ||
86 | 100 | ||
87 | <Directory /absolute/path/to/shaarli/> | 101 | <Directory /absolute/path/to/shaarli/> |
102 | #Required for .htaccess support | ||
88 | AllowOverride All | 103 | AllowOverride All |
89 | Options Indexes FollowSymLinks MultiViews | ||
90 | Order allow,deny | 104 | Order allow,deny |
91 | allow from all | 105 | Allow from all |
92 | </Directory> | ||
93 | 106 | ||
94 | LogLevel warn | 107 | Options Indexes FollowSymLinks MultiViews #TODO is Indexes/Multiviews required? |
95 | ErrorLog /var/log/apache2/shaarli-error.log | 108 | |
96 | CustomLog /var/log/apache2/shaarli-access.log combined | 109 | # Optional - required for playvideos plugin |
97 | </VirtualHost> | 110 | #Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://www.youtube.com https://s.ytimg.com 'unsafe-eval'" |
98 | <VirtualHost *:80> | 111 | </Directory> |
99 | ServerName shaarli.my-domain.org | ||
100 | Redirect 301 / https://shaarli.my-domain.org | ||
101 | 112 | ||
102 | LogLevel warn | ||
103 | ErrorLog /var/log/apache2/shaarli-error.log | ||
104 | CustomLog /var/log/apache2/shaarli-access.log combined | ||
105 | </VirtualHost> | 113 | </VirtualHost> |
106 | ``` | 114 | ``` |
107 | 115 | ||
108 | ### .htaccess | 116 | Enable this configuration with `sudo a2ensite shaarli` |
109 | 117 | ||
110 | Shaarli use `.htaccess` Apache files to deny access to files that shouldn't be directly accessed (datastore, config, etc.). You need the directive `AllowOverride All` in your virtual host configuration for them to work. | 118 | _Note: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled._ |
111 | 119 | ||
112 | **Warning**: If you use Apache 2.2 or lower, you need [mod_version](https://httpd.apache.org/docs/current/mod/mod_version.html) to be installed and enabled. | 120 | _Note: Apache module `mod_rewrite` must be enabled to use the REST API._ |
113 | |||
114 | Apache module `mod_rewrite` **must** be enabled to use the REST API. URL rewriting rules for the Slim microframework are stated in the root `.htaccess` file. | ||
115 | 121 | ||
116 | ## LightHttpd | ||
117 | 122 | ||
118 | ## Nginx | 123 | ## Nginx |
119 | ### Foreword | ||
120 | Nginx does not natively interpret PHP scripts; to this effect, we will run a [FastCGI](https://en.wikipedia.org/wiki/FastCGI) service, to which Nginx's FastCGI module will proxy all requests to PHP resources. | ||
121 | |||
122 | Required packages: | ||
123 | 124 | ||
124 | - [nginx](http://nginx.org) | 125 | Here is a basic configuration example for the Nginx web server, using the [php-fpm](http://php-fpm.org) PHP FastCGI Process Manager, and Nginx's [FastCGI](https://en.wikipedia.org/wiki/FastCGI) module. |
125 | - [php-fpm](http://php-fpm.org) - PHP FastCGI Process Manager | ||
126 | 126 | ||
127 | Official documentation: | 127 | <!--- TODO refactor everything below this point ---> |
128 | |||
129 | - [Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) | ||
130 | - [ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) | ||
131 | - [Pitfalls](http://wiki.nginx.org/Pitfalls) | ||
132 | |||
133 | Community resources: | ||
134 | |||
135 | - [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla) | ||
136 | - [PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing) | ||
137 | 128 | ||
138 | ### Common setup | 129 | ### Common setup |
139 | Once Nginx and PHP-FPM are installed, we need to ensure: | 130 | Once Nginx and PHP-FPM are installed, we need to ensure: |
@@ -404,3 +395,39 @@ http { | |||
404 | } | 395 | } |
405 | } | 396 | } |
406 | ``` | 397 | ``` |
398 | |||
399 | ## Proxies | ||
400 | If Shaarli is served behind a proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), please refer to the proxy server documentation for proper configuration. In particular, you have to ensure that the following server variables are properly set: | ||
401 | |||
402 | - `X-Forwarded-Proto` | ||
403 | - `X-Forwarded-Host` | ||
404 | - `X-Forwarded-For` | ||
405 | |||
406 | See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%93&q=label%3Aproxy+) issues. | ||
407 | |||
408 | |||
409 | ## See also | ||
410 | |||
411 | * [Server security](Server-security.md) | ||
412 | |||
413 | #### Webservers | ||
414 | |||
415 | - [Apache/PHP - error log per VirtualHost](http://stackoverflow.com/q/176) (StackOverflow) | ||
416 | - [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/) | ||
417 | - [Server-side TLS (Apache)](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache) (Mozilla) | ||
418 | - [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html) | ||
419 | - [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html) | ||
420 | - [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls) | ||
421 | - [Nginx PHP configuration examples](http://kbeezie.com/nginx-configuration-examples/) (Karl Blessing) | ||
422 | - [Server-side TLS (Nginx)](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) (Mozilla) | ||
423 | - [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php) | ||
424 | - [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority) | ||
425 | |||
426 | #### PHP | ||
427 | |||
428 | - [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml) | ||
429 | - [PHP: Supported versions](http://php.net/supported-versions.php) | ||
430 | - [PHP: Unsupported versions](http://php.net/eol.php) _(EOL - End Of Life)_ | ||
431 | - [PHP 7 Changelog](http://php.net/ChangeLog-7.php) | ||
432 | - [PHP 5 Changelog](http://php.net/ChangeLog-5.php) | ||
433 | - [PHP: Bugs](https://bugs.php.net/) | ||