Add documentation for nginx+ssl setup

2014-09-14 15:00:13 +02:00 · 2014-09-14 15:00:13 +02:00 · 5f962bf4cd
parent 22c51e3ca4
commit 5f962bf4cd
2 changed files with 240 additions and 1 deletions
--- a/docs/nginx-ssl-php-fpm.markdown
+++ b/docs/nginx-ssl-php-fpm.markdown
@ -0,0 +1,238 @@
+Kanboard with Nginx, HTTPS, SPDY and PHP-FPM
+============================================
+
+This installation example will help you to have the following features:
+
+- Latest stable nginx version
+- HTTPS only with a valid certificate
+- [SPDY protocol](http://en.wikipedia.org/wiki/SPDY) activated
+- PHP 5.5 with php-fpm
+- Recommended security parameters
+- File uploads with a 10MB file size limit
+
+This procedure is written for **Ubuntu 14.04 LTS** but it should be similar for any Linux distribution.
+
+For this setup, we suppose that only Kanboard is installed on the server.
+It can be a small virtual machine by example.
+
+Kanboard detect automatically the utilization of HTTPS and enable some extra features:
+
+- [HTTP Strict Transport Security](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+- [Secure Cookie Flag](http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly)
+
+PHP 5.5 Installation
+--------------------
+
+```bash
+sudo apt-get install php5-fpm php5-cli php5-sqlite
+```
+
+You can also install `php5-mysql` if you prefer to use Kanboard with Mysql or MariaDB.
+
+Customize your `/etc/php5/fpm/php.ini`:
+
+```ini
+; Security settings
+expose_php = Off
+cgi.fix_pathinfo=0
+
+; Log errors
+error_reporting = E_ALL
+display_errors = Off
+log_errors = On
+html_errors = Off
+error_log = syslog
+
+; File uploads
+upload_max_filesize = 10M
+post_max_size = 10M
+```
+
+Restart PHP background processes:
+
+```bash
+sudo service php5-fpm restart
+```
+
+Nginx Installation
+------------------
+
+We want the latest stable version of nginx to be able to use the SPDY protocol.
+Hopefully, there is PPA for Ubuntu (unofficial):
+
+```bash
+sudo add-apt-repository ppa:nginx/stable
+sudo apt-get install nginx
+```
+
+Generate a SSL certificate
+--------------------------
+
+We want a SSL certificate that work everywhere, not a self-signed certificate.
+You can buy a cheap one at [Namecheap](http://www.namecheap.com/?aff=73824) or anywhere else.
+
+Here the different steps to configure your certificate:
+
+```bash
+# Generate a private key
+openssl genrsa -des3 -out kanboard.key 2048
+
+# Create a key with no password for Nginx
+openssl rsa -in kanboard.key -out kanboard.key.nopass
+
+# Generate the Certificate Signing Request, enter your domain name for the field 'Common Name'
+openssl req -new -key kanboard.key.nopass -out kanboard.csr
+
+# Copy and paste the content of the CSR to the Namecheap control panel and finalize the procedure
+cat kanboard.csr
+
+# After that, you receive by email your certificate, then concat everything into a single file
+cat kanboard.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > kanboard.pem
+```
+
+Copy the certificates in a new directory:
+
+```bash
+mkdir /etc/nginx/ssl
+cp kanboard.pem /etc/nginx/ssl
+cp kanboard.key.nopass /etc/nginx/ssl
+chmod 400 /etc/nginx/ssl/*
+```
+
+Configure Nginx
+---------------
+
+Now, we can customize our installation, start to modify the main configuration file `/etc/nginx/nginx.conf`:
+
+```nginx
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    # SSL shared cache between workers
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # We disable weak protocols and ciphers
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!DSS:!aNULL:@STRENGTH;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    # We enable the Gzip compression for some mime types
+    gzip on;
+    gzip_disable "msie6";
+    gzip_vary on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+```
+
+Create a new virtual host for Kanboard `/etc/nginx/sites-available/kanboard`
+
+
+```nginx
+server {
+    # We also enable the SPDY protocol
+    listen 443 ssl spdy;
+
+    # Our SSL certificate
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/kanboard.pem;
+    ssl_certificate_key /etc/nginx/ssl/kanboard.key.nopass;
+
+    # You can change the default root directory here
+    root /usr/share/nginx/html;
+
+    index index.php;
+
+    # Your domain name
+    server_name localhost;
+
+    # The maximum body size, useful for file uploads
+    client_max_body_size 10M;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+
+    # PHP-FPM configuration
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Deny access to the directory data
+    location ~* /data {
+            deny all;
+            return 404;
+    }
+
+    # Deny access to .htaccess
+    location ~ /\.ht {
+            deny all;
+            return 404;
+    }
+}
+```
+
+Now it's time to test our setup
+
+```bash
+# Disable the default virtual host
+sudo unlink /etc/nginx/sites-enabled/default
+
+# Add our default virtual host
+sudo ln -s /etc/nginx/sites-available/kanboard /etc/nginx/sites-enabled/kanboard
+
+# Check the config file
+sudo nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+# Restart nginx
+sudo service nginx restart
+```
+
+Kanboard Installation
+---------------------
+
+You can install Kanboard in a subdirectory or not, it's up to you.
+
+```bash
+cd /usr/share/nginx/html
+sudo wget http://kanboard.net/kanboard-latest.zip
+sudo unzip kanboard-latest.zip
+sudo chown -R www-data:www-data kanboard/data
+sudo rm kanboard-latest.zip
+```
+
+Now, you should be able to use Kanboard with your web browser.
--- a/docs/syntax-guide.markdown
+++ b/docs/syntax-guide.markdown
@ -105,13 +105,14 @@ Execute this command: `tail -f /var/log/messages`.
 Use 3 backticks with eventually the language name.

 <pre>
-```php
+<code class="language-markdown">```php
 &lt;?php

 phpinfo();

 ?&gt;
 ```
+</code>
 </pre>

 ### Result