2017-01-26 18:52:54 +01:00
<!DOCTYPE html>
<!-- [if IE 8]><html class="no - js lt - ie9" lang="en" > <![endif] -->
<!-- [if gt IE 8]><! --> < html class = "no-js" lang = "en" > <!-- <![endif] -->
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1.0" >
< link rel = "shortcut icon" href = "../img/favicon.ico" >
< title > Server security - Shaarli Documentation< / title >
< link href = 'https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel = 'stylesheet' type = 'text/css' >
< link rel = "stylesheet" href = "../css/theme.css" type = "text/css" / >
< link rel = "stylesheet" href = "../css/theme_extra.css" type = "text/css" / >
< link rel = "stylesheet" href = "../css/highlight.css" >
< link href = "../github-markdown.css" rel = "stylesheet" >
< script >
// Current page data
var mkdocs_page_name = "Server security";
var mkdocs_page_input_path = "Server-security.md";
var mkdocs_page_url = "/Server-security/";
< / script >
< script src = "../js/jquery-2.1.1.min.js" > < / script >
< script src = "../js/modernizr-2.8.3.min.js" > < / script >
< script type = "text/javascript" src = "../js/highlight.pack.js" > < / script >
< / head >
< body class = "wy-body-for-nav" role = "document" >
< div class = "wy-grid-for-nav" >
< nav data-toggle = "wy-nav-shift" class = "wy-nav-side stickynav" >
< div class = "wy-side-nav-search" >
< a href = ".." class = "icon icon-home" > Shaarli Documentation< / a >
< div role = "search" >
< form id = "rtd-search-form" class = "wy-form" action = "../search.html" method = "get" >
< input type = "text" name = "q" placeholder = "Search docs" / >
< / form >
< / div >
< / div >
< div class = "wy-menu wy-menu-vertical" data-spy = "affix" role = "navigation" aria-label = "main navigation" >
< ul class = "current" >
< li class = "toctree-l1" >
< a class = "" href = ".." > Home< / a >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > Setup< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../Download-and-Installation/" > Download and Installation< / a >
< / li >
< li class = "" >
< a class = "" href = "../Upgrade-and-migration/" > Upgrade and migration< / a >
< / li >
< li class = "" >
< a class = "" href = "../Server-requirements/" > Server requirements< / a >
< / li >
< li class = "" >
< a class = "" href = "../Server-configuration/" > Server configuration< / a >
< / li >
< li class = " current" >
< a class = "current" href = "./" > Server security< / a >
< ul class = "subnav" >
< li class = "toctree-l3" > < a href = "#phpini" > php.ini< / a > < / li >
< ul >
< li > < a class = "toctree-l4" href = "#locate-ini-files" > Locate .ini files< / a > < / li >
< / ul >
< li class = "toctree-l3" > < a href = "#fail2ban" > fail2ban< / a > < / li >
< ul >
< li > < a class = "toctree-l4" href = "#read-shaarli-logs-to-ban-ips" > Read Shaarli logs to ban IPs< / a > < / li >
< / ul >
< li class = "toctree-l3" > < a href = "#robots-restricting-search-engines-and-web-crawler-traffic" > Robots - Restricting search engines and web crawler traffic< / a > < / li >
< / ul >
< / li >
< li class = "" >
< a class = "" href = "../Shaarli-configuration/" > Shaarli configuration< / a >
< / li >
< li class = "" >
< a class = "" href = "../Plugins/" > Plugins< / a >
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > Docker< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../Docker-101/" > Docker 101< / a >
< / li >
< li class = "" >
< a class = "" href = "../Shaarli-images/" > Shaarli images< / a >
< / li >
< li class = "" >
< a class = "" href = "../Reverse-proxy-configuration/" > Reverse proxy configuration< / a >
< / li >
< li class = "" >
< a class = "" href = "../Docker-resources/" > Docker resources< / a >
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > Usage< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../Features/" > Features< / a >
< / li >
< li class = "" >
< a class = "" href = "../Bookmarklet/" > Bookmarklet< / a >
< / li >
< li class = "" >
< a class = "" href = "../Browsing-and-searching/" > Browsing and searching< / a >
< / li >
< li class = "" >
< a class = "" href = "../Firefox-share/" > Firefox share< / a >
< / li >
< li class = "" >
< a class = "" href = "../RSS-feeds/" > RSS feeds< / a >
< / li >
< li class = "" >
< a class = "" href = "../REST-API/" > REST API< / a >
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > How To< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../Backup,-restore,-import-and-export/" > Backup, restore, import and export< / a >
< / li >
< li class = "" >
2017-06-18 06:32:30 +02:00
< a class = "" href = "../Various-hacks/" > Various hacks< / a >
2017-01-26 18:52:54 +01:00
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< a class = "" href = "../Troubleshooting/" > Troubleshooting< / a >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > Development< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../Development-guidelines/" > Development guidelines< / a >
< / li >
< li class = "" >
< a class = "" href = "../Continuous-integration-tools/" > Continuous integration tools< / a >
< / li >
< li class = "" >
< a class = "" href = "../GnuPG-signature/" > GnuPG signature< / a >
< / li >
< li class = "" >
< a class = "" href = "../Coding-guidelines/" > Coding guidelines< / a >
< / li >
< li class = "" >
< a class = "" href = "../Directory-structure/" > Directory structure< / a >
< / li >
< li class = "" >
< a class = "" href = "../3rd-party-libraries/" > 3rd party libraries< / a >
< / li >
< li class = "" >
< a class = "" href = "../Plugin-System/" > Plugin System< / a >
< / li >
< li class = "" >
< a class = "" href = "../Release-Shaarli/" > Release Shaarli< / a >
< / li >
< li class = "" >
< a class = "" href = "../Versioning-and-Branches/" > Versioning and Branches< / a >
< / li >
< li class = "" >
< a class = "" href = "../Security/" > Security< / a >
< / li >
< li class = "" >
< a class = "" href = "../Static-analysis/" > Static analysis< / a >
< / li >
< li class = "" >
< a class = "" href = "../Theming/" > Theming< / a >
< / li >
< li class = "" >
< a class = "" href = "../Unit-tests/" > Unit tests< / a >
< / li >
< / ul >
< / li >
< li class = "toctree-l1" >
< span class = "caption-text" > About< / span >
< ul class = "subnav" >
< li class = "" >
< a class = "" href = "../FAQ/" > FAQ< / a >
< / li >
< li class = "" >
< a class = "" href = "../Community-&-Related-software/" > Community & Related software< / a >
< / li >
< / ul >
< / li >
< / ul >
< / div >
< / nav >
< section data-toggle = "wy-nav-shift" class = "wy-nav-content-wrap" >
< nav class = "wy-nav-top" role = "navigation" aria-label = "top navigation" >
< i data-toggle = "wy-nav-top" class = "fa fa-bars" > < / i >
< a href = ".." > Shaarli Documentation< / a >
< / nav >
< div class = "wy-nav-content" >
< div class = "rst-content" >
< div role = "navigation" aria-label = "breadcrumbs navigation" >
< ul class = "wy-breadcrumbs" >
< li > < a href = ".." > Docs< / a > » < / li >
< li > Setup » < / li >
< li > Server security< / li >
< li class = "wy-breadcrumbs-aside" >
< a href = "https://github.com/shaarli/Shaarli/edit/master/docs/Server-security.md"
class="icon icon-github"> Edit on GitHub< / a >
< / li >
< / ul >
< hr / >
< / div >
< div role = "main" >
< div class = "section" >
< h2 id = "phpini" > php.ini< / h2 >
< p > PHP settings are defined in:
- a main configuration file, usually found under < code > /etc/php5/php.ini< / code > ; some distributions provide different configuration environments, e.g.
- < code > /etc/php5/php.ini< / code > - used when running console scripts
- < code > /etc/php5/apache2/php.ini< / code > - used when a client requests PHP resources from Apache
- < code > /etc/php5/php-fpm.conf< / code > - used when PHP requests are proxied to PHP-FPM
- additional configuration files/entries, depending on the installed/enabled extensions:
- < code > /etc/php/conf.d/xdebug.ini< / code > < / p >
< h3 id = "locate-ini-files" > Locate .ini files< / h3 >
< h4 id = "console-environment" > Console environment< / h4 >
< pre > < code class = "bash" > $ php --ini
Configuration File (php.ini) Path: /etc/php
Loaded Configuration File: /etc/php/php.ini
Scan for additional .ini files in: /etc/php/conf.d
Additional .ini files parsed: /etc/php/conf.d/xdebug.ini
< / code > < / pre >
< h4 id = "server-environment" > Server environment< / h4 >
< ul >
< li > create a < code > phpinfo.php< / code > script located in a path supported by the web server, e.g.< ul >
< li > Apache (with user dirs enabled): < code > /home/myself/public_html/phpinfo.php< / code > < / li >
< li > < code > /var/www/test/phpinfo.php< / code > < / li >
< / ul >
< / li >
< li > make sure the script is readable by the web server user/group (usually, < code > www< / code > , < code > www-data< / code > or < code > httpd< / code > )< / li >
< li > access the script from a web browser< / li >
< li > look at the < em > Loaded Configuration File< / em > and < em > Scan this dir for additional .ini files< / em > entries< / li >
< / ul >
< pre > < code class = "php" > < ?php phpinfo(); ?>
< / code > < / pre >
< h2 id = "fail2ban" > fail2ban< / h2 >
< p > < code > fail2ban< / code > is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses < code > iptables< / code > profiles to block brute-force attempts:
- < a href = "http://www.fail2ban.org/wiki/index.php/Main_Page" > Official website< / a >
- < a href = "https://github.com/fail2ban/fail2ban" > Source code< / a > < / p >
< h3 id = "read-shaarli-logs-to-ban-ips" > Read Shaarli logs to ban IPs< / h3 >
< p > Example configuration:
- allow 3 login attempts per IP address
- after 3 failures, permanently ban the corresponding IP adddress< / p >
< p > < code > /etc/fail2ban/jail.local< / code > < / p >
< pre > < code class = "ini" > [shaarli-auth]
enabled = true
port = https,http
filter = shaarli-auth
logpath = /var/www/path/to/shaarli/data/log.txt
maxretry = 3
bantime = -1
< / code > < / pre >
< p > < code > /etc/fail2ban/filter.d/shaarli-auth.conf< / code > < / p >
< pre > < code class = "ini" > [INCLUDES]
before = common.conf
[Definition]
failregex = \s-\s< HOST> \s-\sLogin failed for user.*$
ignoreregex =
< / code > < / pre >
< h2 id = "robots-restricting-search-engines-and-web-crawler-traffic" > Robots - Restricting search engines and web crawler traffic< / h2 >
< p > Creating a < code > robots.txt< / code > with the following contents at the root of your Shaarli installation will prevent < em > honest< / em > web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.< / p >
< pre > < code > User-agent: *
Disallow: /
< / code > < / pre >
< p > See:
- http://www.robotstxt.org/
- http://www.robotstxt.org/robotstxt.html
- http://www.robotstxt.org/meta.html< / p >
< / div >
< / div >
< footer >
< div class = "rst-footer-buttons" role = "navigation" aria-label = "footer navigation" >
< a href = "../Shaarli-configuration/" class = "btn btn-neutral float-right" title = "Shaarli configuration" > Next < span class = "icon icon-circle-arrow-right" > < / span > < / a >
< a href = "../Server-configuration/" class = "btn btn-neutral" title = "Server configuration" > < span class = "icon icon-circle-arrow-left" > < / span > Previous< / a >
< / div >
< hr / >
< div role = "contentinfo" >
<!-- Copyright etc -->
< / div >
Built with < a href = "http://www.mkdocs.org" > MkDocs< / a > using a < a href = "https://github.com/snide/sphinx_rtd_theme" > theme< / a > provided by < a href = "https://readthedocs.org" > Read the Docs< / a > .
< / footer >
< / div >
< / div >
< / section >
< / div >
< div class = "rst-versions" role = "note" style = "cursor: pointer" >
< span class = "rst-current-version" data-toggle = "rst-current-version" >
< a href = "https://github.com/shaarli/Shaarli" class = "fa fa-github" style = "float: left; color: #fcfcfc" > GitHub< / a >
< span > < a href = "../Server-configuration/" style = "color: #fcfcfc;" > « Previous< / a > < / span >
< span style = "margin-left: 15px" > < a href = "../Shaarli-configuration/" style = "color: #fcfcfc" > Next » < / a > < / span >
< / span >
< / div >
< script src = "../js/theme.js" > < / script >
< / body >
< / html >