Reverse proxy

If Shaarli is hosted on a server behind a reverse proxy (i.e. there is a proxy server between clients and the web server hosting Shaarli), configure it accordingly. See Reverse proxy configuration. In this example:

  • The Shaarli application server exposes port 10080 to the proxy (for example docker container started with --publish
  • The Shaarli application server runs at (container). Replace with the server's IP address if running on a different machine.
  • Shaarli's Fully Qualified Domain Name (FQDN) is
  • No HTTPS is setup on the application server, SSL termination is done at the reverse proxy.

In your Shaarli configuration data/config.json.php, add the public IP of your proxy under security.trusted_proxies.

See also proxy-related issues.


<VirtualHost *:80>

    # For SSL/TLS certificates acquired with certbot or self-signed certificates
    # Redirect HTTP requests to HTTPS, except Let's Encrypt ACME challenge requests
    RewriteEngine on
    RewriteRule ^.well-known/acme-challenge/ - [L]
    RewriteCond %{HTTP_HOST}
    RewriteRule  ^{REQUEST_URI} [END,NE,R=permanent]

# SSL/TLS configuration for Let's Encrypt certificates managed with mod_md
#MDCertificateAgreement accepted
#MDPrivateKeys RSA 4096

<VirtualHost *:443>

    # SSL/TLS configuration for Let's Encrypt certificates acquired with certbot standalone
    SSLEngine             on
    SSLCertificateFile    /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    # Let's Encrypt settings from
    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    SSLOptions +StrictRequire

    # SSL/TLS configuration for self-signed certificates
    #SSLEngine             on
    #SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # let the proxied shaarli server/container know HTTPS URLs should be served
    RequestHeader set X-Forwarded-Proto "https"

    # send the original SERVER_NAME to the proxied host
    ProxyPreserveHost On

    # pass requests to the proxied host
    # sets X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers
    ProxyPass        /
    ProxyPassReverse /




frontend http-in
    bind :80
    redirect scheme https code 301 if !{ ssl_fc }
    bind :443 ssl crt /path/to/cert.pem
    default_backend shaarli

backend shaarli
    mode http
    option http-server-close
    option forwardfor
    reqadd X-Forwarded-Proto: https
    server shaarli1


http {

    index index.html index.php;

    root        /home/john/web;
    access_log  /var/log/nginx/access.log combined;
    error_log   /var/log/nginx/error.log;

    server {
        listen       80;
        # redirect HTTP to HTTPS
        return       301$request_uri;

    server {
        listen       443 ssl http2;

        ssl_certificate       /path/to/certificate
        ssl_certificate_key   /path/to/private/key

        # if shaarli is installed in a subdirectory of the main domain, edit the location accordingly
        location / {
            proxy_set_header  X-Real-IP         $remote_addr;
            proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_set_header  X-Forwarded-Host  $host;

            # pass requests to the proxied host
            proxy_pass             http://localhost:10080/;
            proxy_set_header Host  $host;
            proxy_connect_timeout  30s;
            proxy_read_timeout     120s;