doc: serve configuration/reverse proxy: fix apache mod_md configuration, move reference links to their respective sections, shorten

This commit is contained in:
nodiscc 2020-08-16 20:12:45 +02:00
parent 083b28021a
commit f682f1b899
2 changed files with 66 additions and 47 deletions

View file

@ -19,23 +19,38 @@ See also [proxy-related](https://github.com/shaarli/Shaarli/issues?utf8=%E2%9C%9
ServerName shaarli.mydomain.org ServerName shaarli.mydomain.org
DocumentRoot /var/www/shaarli.mydomain.org/ DocumentRoot /var/www/shaarli.mydomain.org/
# For SSL/TLS certificates acquired with certbot or self-signed certificates
# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
RewriteEngine on RewriteEngine on
RewriteRule ^.well-known/acme-challenge/ - [L] RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTP_HOST} =shaarli.mydomain.org RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
# If you are using mod_md, use this instead
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096
</VirtualHost> </VirtualHost>
# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
#MDomain shaarli.mydomain.org
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096
<VirtualHost *:443> <VirtualHost *:443>
ServerName shaarli.mydomain.org ServerName shaarli.mydomain.org
SSLEngine on # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
SSLCertificateFile /path/to/certificate SSLEngine on
SSLCertificateKeyFile /path/to/private/key SSLCertificateFile /etc/letsencrypt/live/shaarli.mydomain.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/shaarli.mydomain.org/privkey.pem
# Let's Encrypt settings from https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# SSL/TLS configuration for self-signed certificates
#SSLEngine on
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# let the proxied shaarli server/container know HTTPS URLs should be served # let the proxied shaarli server/container know HTTPS URLs should be served
RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Proto "https"
@ -75,6 +90,7 @@ backend shaarli
server shaarli1 127.0.0.1:10080 server shaarli1 127.0.0.1:10080
``` ```
- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
## Nginx ## Nginx
@ -119,3 +135,8 @@ http {
} }
``` ```
## References
- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

View file

@ -4,12 +4,15 @@
### Operating system and web server ### Operating system and web server
Shaarli can be hosted on dedicated/virtual servers, or shared hosting. The smallest DigitalOcean VPS (Droplet with 1 CPU, 1 GiB RAM and 25 GiB SSD) costs about $5/month and will run any Shaarli installation without problems. Shaarli can be hosted on dedicated/virtual servers, or shared hosting.
You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts). You need write access to the Shaarli installation directory - you should have received instructions from your hosting provider on how to connect to the server using SSH (or FTP for shared hosts).
Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution. Examples in this documentation are given for [Debian](https://www.debian.org/), a GNU/Linux distribution widely used in server environments. Please adapt them to your specific Linux distribution.
A $5/month VPS (1 CPU, 1 GiB RAM and 25 GiB SSD) will run any Shaarli installation without problems. Some hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [4](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [5](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [6](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
### Network and domain name ### Network and domain name
Try to host the server in a region that is geographically close to your users. Try to host the server in a region that is geographically close to your users.
@ -61,10 +64,16 @@ Extension | Required? | Usage
Some [plugins](Plugins.md) may require additional configuration. Some [plugins](Plugins.md) may require additional configuration.
- [PHP: Supported versions](http://php.net/supported-versions.php)
- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
- [PHP: Bugs](https://bugs.php.net/)
## SSL/TLS (HTTPS) ## SSL/TLS (HTTPS)
We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) on your webserver for secure communication between clients and the server. We recommend setting up [HTTPS](https://en.wikipedia.org/wiki/HTTPS) (SSL/[TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)) on your webserver for secure communication between clients and the server.
### Let's Encrypt ### Let's Encrypt
@ -103,6 +112,8 @@ If you don't want to rely on a certificate authority, or the server can only be
- [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10) - [How To Create a Self-Signed SSL Certificate for Apache](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-debian-10)
- [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10) - [How To Create a Self-Signed SSL Certificate for Nginx](https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10)
- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
@ -134,17 +145,20 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
ServerName shaarli.mydomain.org ServerName shaarli.mydomain.org
DocumentRoot /var/www/shaarli.mydomain.org/ DocumentRoot /var/www/shaarli.mydomain.org/
# For SSL/TLS certificates acquired with certbot or self-signed certificates
# Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
RewriteEngine on RewriteEngine on
RewriteRule ^.well-known/acme-challenge/ - [L] RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTP_HOST} =shaarli.mydomain.org RewriteCond %{HTTP_HOST} =shaarli.mydomain.org
RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent] RewriteRule ^ https://shaarli.mydomain.org%{REQUEST_URI} [END,NE,R=permanent]
# If you are using mod_md, use this instead
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096
</VirtualHost> </VirtualHost>
# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
#MDomain shaarli.mydomain.org
#MDCertificateAgreement accepted
#MDContactEmail admin@shaarli.mydomain.org
#MDPrivateKeys RSA 4096
<VirtualHost *:443> <VirtualHost *:443>
ServerName shaarli.mydomain.org ServerName shaarli.mydomain.org
DocumentRoot /var/www/shaarli.mydomain.org/ DocumentRoot /var/www/shaarli.mydomain.org/
@ -160,10 +174,7 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
SSLSessionTickets off SSLSessionTickets off
SSLOptions +StrictRequire SSLOptions +StrictRequire
# SSL/TLS configuration for Let's Encrypt certificates acquired with mod_md # SSL/TLS configuration for self-signed certificates
#MDomain shaarli.mydomain.org
# SSL/TLS configuration (for self-signed certificates)
#SSLEngine on #SSLEngine on
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
@ -219,7 +230,13 @@ sudo a2enmod headers
sudo systemctl restart apache2 sudo systemctl restart apache2
``` ```
See [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10) for a complete guide. - [How to install the Apache web server](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-debian-10)
- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
### Nginx ### Nginx
@ -326,7 +343,14 @@ sudo ln -s /etc/nginx/sites-available/shaarli.mydomain.org /etc/nginx/sites-enab
sudo systemctl reload nginx sudo systemctl reload nginx
``` ```
See [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10) for a complete guide. - [How to install the Nginx web server](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-10)
- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
- [Nginx documentation](https://nginx.org/en/docs/)
- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
## Reverse proxies ## Reverse proxies
@ -413,33 +437,7 @@ bantime = -1
Then restart the service: `sudo systemctl restart fail2ban` Then restart the service: `sudo systemctl restart fail2ban`
#### References
- [Apache/PHP - error log per VirtualHost - StackOverflow](http://stackoverflow.com/q/176)
- [Apache - PHP: php_value vs php_admin_value and the use of php_flag explained](https://ma.ttias.be/php-php_value-vs-php_admin_value-and-the-use-of-php_flag-explained/)
- [Server-side TLS (Apache) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Apache)
- [Nginx Beginner's guide](http://nginx.org/en/docs/beginners_guide.html)
- [Nginx ngx_http_fastcgi_module](http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html)
- [Nginx Pitfalls](http://wiki.nginx.org/Pitfalls)
- [Nginx PHP configuration examples - Karl Blessing](http://kbeezie.com/nginx-configuration-examples/)
- [Apache 2.4 documentation](https://httpd.apache.org/docs/2.4/)
- [Apache mod_proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
- [Apache Reverse Proxy Request Headers](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers)
- [HAProxy documentation](https://cbonte.github.io/haproxy-dconv/)
- [Nginx documentation](https://nginx.org/en/docs/)
- [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
- [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
- [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
- [Server-side TLS (Nginx) - Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx)
- [How to Create Self-Signed SSL Certificates with OpenSSL](http://www.xenocafe.com/tutorials/linux/centos/openssl/self_signed_certificates/index.php)
- [How do I create my own Certificate Authority?](https://workaround.org/certificate-authority)
- [Travis configuration](https://github.com/shaarli/Shaarli/blob/master/.travis.yml)
- [PHP: Supported versions](http://php.net/supported-versions.php)
- [PHP: Unsupported versions (EOL/End-of-life)](http://php.net/eol.php)
- [PHP 7 Changelog](http://php.net/ChangeLog-7.php)
- [PHP 5 Changelog](http://php.net/ChangeLog-5.php)
- [PHP: Bugs](https://bugs.php.net/)
- [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
- Hosting providers: [DigitalOcean](https://www.digitalocean.com/) ([1](https://www.digitalocean.com/docs/droplets/overview/), [2](https://www.digitalocean.com/pricing/), [3](https://www.digitalocean.com/docs/droplets/how-to/create/), [How to Add SSH Keys to Droplets](https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/), [4](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-debian-8), [5](https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps)), [Gandi](https://www.gandi.net/en), [OVH](https://www.ovh.co.uk/), [RackSpace](https://www.rackspace.com/), etc.
## What next?
[Shaarli installation](Installation.md)