Example virtual host configurations for popular web servers
Related guides:
<VirtualHost *:80>
ServerName shaarli.my-domain.org
DocumentRoot /absolute/path/to/shaarli/
</VirtualHost>
This configuration will log both Apache and PHP errors, which may prove useful to identify server configuration errors.
See:
<VirtualHost *:80>
ServerName shaarli.my-domain.org
DocumentRoot /absolute/path/to/shaarli/
LogLevel warn
ErrorLog /var/log/apache2/shaarli-error.log
CustomLog /var/log/apache2/shaarli-access.log combined
php_flag log_errors on
php_flag display_errors on
php_value error_reporting 2147483647
php_value error_log /var/log/apache2/shaarli-php-error.log
</VirtualHost>
<VirtualHost *:80>
ServerName shaarli.my-domain.org
DocumentRoot /absolute/path/to/shaarli/
LogLevel warn
ErrorLog /var/log/apache2/shaarli-error.log
CustomLog /var/log/apache2/shaarli-access.log combined
</VirtualHost>
See Server-side TLS (Mozilla).
<VirtualHost *:443>
ServerName shaarli.my-domain.org
DocumentRoot /absolute/path/to/shaarli/
SSLEngine on
SSLCertificateFile /absolute/path/to/the/website/certificate.crt
SSLCertificateKeyFile /absolute/path/to/the/website/key.key
<Directory /absolute/path/to/shaarli/>
AllowOverride All
Options Indexes FollowSymLinks MultiViews
Order allow,deny
allow from all
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/shaarli-error.log
CustomLog /var/log/apache2/shaarli-access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName shaarli.my-domain.org
Redirect 301 / https://shaarli.my-domain.org
LogLevel warn
ErrorLog /var/log/apache2/shaarli-error.log
CustomLog /var/log/apache2/shaarli-access.log combined
</VirtualHost>
Nginx does not natively interpret PHP scripts; to this effect, we will run a FastCGI service, to which Nginx's FastCGI module will proxy all requests to PHP resources.
Required packages:
Official documentation:
Community resources:
Once Nginx and PHP-FPM are installed, we need to ensure:
read
permissions for Shaarli resourcesexecute
permissions for Shaarli directories AND their parent directoriesOn a production server:
user:group
will likely be http:http
, www:www
or www-data:www-data
/var/www
, /var/http
or /usr/share/nginx
On a development server:
For all following examples, a development configuration will be used:
user:group = john:users
,which corresponds to the following service configuration:
; /etc/php/php-fpm.conf
user = john
group = users
[...][](.html)
listen.owner = john
listen.group = users
# /etc/nginx/nginx.conf
user john users;
http {
[...][](.html)
}
WARNING: Use for development only!
user john users;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
keepalive_timeout 20;
index index.html index.php;
server {
listen 80;
server_name localhost;
root /home/john/web;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /shaarli/ {
access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log;
}
location ~ (index)\.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}
The previous setup is sufficient for development purposes, but has several major caveats:
.htaccess
index.php~
location /shaarli/
, location /mysite/
, etc.To solve this, we will split Nginx configuration in several parts, that will be included when needed:
# /etc/nginx/deny.conf
location ~ /\. {
# deny access to dotfiles
access_log off;
log_not_found off;
deny all;
}
location ~ ~$ {
# deny access to temp editor files, e.g. "script.php~"
access_log off;
log_not_found off;
deny all;
}
# /etc/nginx/php.conf
location ~ (index)\.php$ {
# filter and proxy PHP requests to PHP-FPM
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ \.php$ {
# deny access to all other PHP scripts
deny all;
}
# /etc/nginx/static_assets.conf
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# /etc/nginx/nginx.conf
[...][](.html)
http {
[...][](.html)
root /home/john/web;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
server {
# virtual host for a first domain
listen 80;
server_name my.first.domain.org;
location /shaarli/ {
access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log;
}
include deny.conf;
include static_assets.conf;
include php.conf;
}
server {
# virtual host for a second domain
listen 80;
server_name second.domain.com;
location /minigal/ {
access_log /var/log/nginx/minigal.access.log;
error_log /var/log/nginx/minigal.error.log;
}
include deny.conf;
include static_assets.conf;
include php.conf;
}
}
Assuming you have generated a (self-signed) key and certificate, and they are located under /home/john/ssl/localhost.{key,crt}
, it is pretty straightforward to set an HTTP (:80) to HTTPS (:443) redirection to force SSL/TLS usage.
# /etc/nginx/nginx.conf
[...][](.html)
http {
[...][](.html)
index index.html index.php;
root /home/john/web;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name localhost;
return 301 https://localhost$request_uri;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /home/john/ssl/localhost.crt;
ssl_certificate_key /home/john/ssl/localhost.key;
location /shaarli/ {
access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log;
}
include deny.conf;
include static_assets.conf;
include php.conf;
}
}