diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/md/Server-configuration.md | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index c22b7d9c..d32cc786 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
| @@ -60,6 +60,8 @@ Some [plugins](Plugins.md) may require additional configuration. | |||
| 60 | 60 | ||
| 61 | We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. | 61 | We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. |
| 62 | 62 | ||
| 63 | ### Let's Encrypt | ||
| 64 | |||
| 63 | For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates. | 65 | For public-facing web servers this can be done using free SSL/TLS certificates from [Let's Encrypt](https://en.wikipedia.org/wiki/Let's_Encrypt), a non-profit certificate authority provididing free certificates. |
| 64 | 66 | ||
| 65 | - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10) | 67 | - [How to secure Apache with Let's Encrypt](https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-10) |
| @@ -87,6 +89,10 @@ sudo systemctl start apache2 | |||
| 87 | sudo systemctl start nginx | 89 | sudo systemctl start nginx |
| 88 | ``` | 90 | ``` |
| 89 | 91 | ||
| 92 | On apache `2.4.43+`, you can also delegate LE certificate management to [mod_md](https://httpd.apache.org/docs/2.4/mod/mod_md.html) [[1](https://www.cyberciti.biz/faq/how-to-secure-apache-with-mod_md-lets-encrypt-on-ubuntu-20-04-lts/)] in which case you don't need certbot and manual SSL configuration in virtualhosts. | ||
| 93 | |||
| 94 | ### Self-signed | ||
| 95 | |||
| 90 | If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli: | 96 | If you don't want to rely on a certificate authority, or the server can only be accessed from your own network, you can also generate self-signed certificates. Not that this will generate security warnings in web browsers/clients trying to access Shaarli: |
| 91 | 97 | ||
| 92 | - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) | 98 | - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) |
| @@ -135,10 +141,10 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf | |||
| 135 | DocumentRoot /var/www/shaarli.mydomain.org/ | 141 | DocumentRoot /var/www/shaarli.mydomain.org/ |
| 136 | 142 | ||
| 137 | # SSL/TLS configuration (for Let's Encrypt certificates) | 143 | # SSL/TLS configuration (for Let's Encrypt certificates) |
| 144 | # If certificates were acquired from certbot standalone | ||
| 138 | SSLEngine on | 145 | SSLEngine on |
| 139 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem | 146 | SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem |
| 140 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem | 147 | SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem |
| 141 | |||
| 142 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf | 148 | # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf |
| 143 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | 149 | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 |
| 144 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | 150 | SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |