aboutsummaryrefslogtreecommitdiffhomepage
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/md/Reverse-proxy.md35
-rw-r--r--doc/md/Server-configuration.md78
2 files changed, 66 insertions, 47 deletions
diff --git a/doc/md/Reverse-proxy.md b/doc/md/Reverse-proxy.md
index 77e4a04d..1c55430f 100644
--- a/doc/md/Reverse-proxy.md
+++ b/doc/md/Reverse-proxy.md
@@ -19,23 +19,38 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9
19 ServerName shaarli.mydomain.org 19 ServerName shaarli.mydomain.org
20 DocumentRoot /var/www/shaarli.mydomain.org/ 20 DocumentRoot /var/www/shaarli.mydomain.org/
21 21
22 # For SSL/TLS certificates acquired with certbot or self-signed certificates
22 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests 23 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
23 RewriteEngine on 24 RewriteEngine on
24 RewriteRule ^.well-known/acme-challenge/ - [L] 25 RewriteRule ^.well-known/acme-challenge/ - [L]
25 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org 26 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
26 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] 27 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
27 # If you are using mod_md, use this instead
28 #MDCertificateAgreement accepted
29 #MDContactEmail admin@shaarli.mydomain.org
30 #MDPrivateKeys RSA 4096
31</VirtualHost> 28</VirtualHost>
32 29
30# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
31#MDomain shaarli.mydomain.org
32#MDCertificateAgreement accepted
33#MDContactEmail admin@shaarli.mydomain.org
34#MDPrivateKeys RSA 4096
35
33<VirtualHost *:443> 36<VirtualHost *:443>
34 ServerName shaarli.mydomain.org 37 ServerName shaarli.mydomain.org
35 38
36 SSLEngine on 39 # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
37 SSLCertificateFile /path/to/certificate 40 SSLEngine on
38 SSLCertificateKeyFile /path/to/private/key 41 SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
42 SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
43 # Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
44 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
45 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
46 SSLHonorCipherOrder off
47 SSLSessionTickets off
48 SSLOptions +StrictRequire
49
50 # SSL/TLS configuration for self-signed certificates
51 #SSLEngine on
52 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
53 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
39 54
40 # let the proxied shaarli server/container know HTTPS URLs should be served 55 # let the proxied shaarli server/container know HTTPS URLs should be served
41 RequestHeader set X-Forwarded-Proto "https" 56 RequestHeader set X-Forwarded-Proto "https"
@@ -75,6 +90,7 @@ backend shaarli
75 server shaarli1 127.0.0.1:10080 90 server shaarli1 127.0.0.1:10080
76``` 91```
77 92
93- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
78 94
79## Nginx 95## Nginx
80 96
@@ -119,3 +135,8 @@ http {
119} 135}
120``` 136```
121 137
138## References
139
140- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
141- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
142- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index 3eeaad70..bad00ac5 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -4,12 +4,15 @@
4 4
5### Operating system and web server 5### Operating system and web server
6 6
7Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems. 7Shaarli can be hosted on dedicated/virtual servers, or shared hosting.
8 8
9You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts). 9You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
10 10
11Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution. 11Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
12 12
13A $5/month VPS (1 CPU, 1 GiB RAM and 25 GiB SSD) will run any Shaarli installation without problems. Some hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [4](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [5](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [6](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
14
15
13### Network and domain name 16### Network and domain name
14 17
15Try to host the server in a region that is geographically close to your users. 18Try to host the server in a region that is geographically close to your users.
@@ -61,10 +64,16 @@ Extension | Required? | Usage
61 64
62Some [plugins](Plugins.md) may require additional configuration. 65Some [plugins](Plugins.md) may require additional configuration.
63 66
67- [PHP: Supported versions](http://php.net/supported-versions.php)
68- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
69- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
70- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
71- [PHP: Bugs](https://bugs.php.net/)
72
64 73
65## SSL/TLS (HTTPS) 74## SSL/TLS (HTTPS)
66 75
67We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. 76We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) (SSL/[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)) on your webserver for secure communication between clients and the server.
68 77
69### Let's Encrypt 78### Let's Encrypt
70 79
@@ -103,6 +112,8 @@ If you don't want to rely on a certificate authority, or the server can only be
103 112
104- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) 113- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
105- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10) 114- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
115- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
116- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
106 117
107-------------------------------------------------------------------------------- 118--------------------------------------------------------------------------------
108 119
@@ -134,17 +145,20 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
134 ServerName shaarli.mydomain.org 145 ServerName shaarli.mydomain.org
135 DocumentRoot /var/www/shaarli.mydomain.org/ 146 DocumentRoot /var/www/shaarli.mydomain.org/
136 147
148 # For SSL/TLS certificates acquired with certbot or self-signed certificates
137 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests 149 # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
138 RewriteEngine on 150 RewriteEngine on
139 RewriteRule ^.well-known/acme-challenge/ - [L] 151 RewriteRule ^.well-known/acme-challenge/ - [L]
140 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org 152 RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
141 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] 153 RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
142 # If you are using mod_md, use this instead
143 #MDCertificateAgreement accepted
144 #MDContactEmail admin@shaarli.mydomain.org
145 #MDPrivateKeys RSA 4096
146</VirtualHost> 154</VirtualHost>
147 155
156# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
157#MDomain shaarli.mydomain.org
158#MDCertificateAgreement accepted
159#MDContactEmail admin@shaarli.mydomain.org
160#MDPrivateKeys RSA 4096
161
148<VirtualHost *:443> 162<VirtualHost *:443>
149 ServerName shaarli.mydomain.org 163 ServerName shaarli.mydomain.org
150 DocumentRoot /var/www/shaarli.mydomain.org/ 164 DocumentRoot /var/www/shaarli.mydomain.org/
@@ -160,10 +174,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
160 SSLSessionTickets off 174 SSLSessionTickets off
161 SSLOptions +StrictRequire 175 SSLOptions +StrictRequire
162 176
163 # SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md 177 # SSL/TLS configuration for self-signed certificates
164 #MDomain shaarli.mydomain.org
165
166 # SSL/TLS configuration (for self-signed certificates)
167 #SSLEngine on 178 #SSLEngine on
168 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 179 #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
169 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 180 #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
@@ -219,7 +230,13 @@ sudo a2enmod headers
219sudo systemctl restart apache2 230sudo systemctl restart apache2
220``` 231```
221 232
222See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide. 233- [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10)
234- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
235- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
236- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
237- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
238- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
239- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
223 240
224 241
225### Nginx 242### Nginx
@@ -326,7 +343,14 @@ sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enab
326sudo systemctl reload nginx 343sudo systemctl reload nginx
327``` 344```
328 345
329See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide. 346- [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
347- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
348- [Nginx documentation](https://nginx.org/en/docs/)
349- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
350- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
351- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
352- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
353
330 354
331 355
332## Reverse proxies 356## Reverse proxies
@@ -413,33 +437,7 @@ bantime = -1
413 437
414Then restart the service: `sudo systemctl restart fail2ban` 438Then restart the service: `sudo systemctl restart fail2ban`
415 439
416#### References
417
418- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
419- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
420- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
421- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
422- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
423- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
424- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
425- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
426- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
427- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
428- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
429- [Nginx documentation](https://nginx.org/en/docs/)
430- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
431- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
432- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
433- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
434- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
435- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
436- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
437- [PHP: Supported versions](http://php.net/supported-versions.php)
438- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
439- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
440- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
441- [PHP: Bugs](https://bugs.php.net/)
442- [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
443- Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
444 440
441## What next?
445 442
443[Shaarli installation](Installation.md)