Merge branch 'central-auth'

This commit is contained in:
Blallo 2018-09-19 22:29:42 +02:00
commit 9c3690d969
7 changed files with 99 additions and 32 deletions

View file

@ -10,6 +10,8 @@ services:
- POSTGRES_USER=ttrss
- POSTGRES_PASSWORD=password-dev
- POSTGRES_DB=ttrss
ports:
- 5432:5432
tt-rss:
image: feedati/tt-rss:latest
@ -58,6 +60,8 @@ services:
container_name: feedati_webserver
volumes:
- ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro
- ./docker/frontend-apache/:/etc/apache2/:ro
- ./docker/frontend-login/:/var/www/login/:ro
ports:
- 80:80
depends_on:

View file

@ -10,7 +10,7 @@ LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule headers_module modules/mod_headers.so
LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so
@ -20,7 +20,18 @@ LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule session_module modules/mod_session.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule request_module modules/mod_request.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_file_module modules/mod_authn_file.so
# LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule macro_module modules/mod_macro.so
LoadModule rewrite_module modules/mod_rewrite.so
<IfModule unixd_module>
#
@ -39,37 +50,38 @@ ServerAdmin you@example.com
ServerName feedati-fe:80
<Macro Auth>
AuthFormLoginRequiredLocation "/login/"
AuthFormLoginRequiredLocation "/login/"
AuthFormProvider file
# authn
AuthFormProvider file
AuthUserFile /etc/apache2/passwords.txt
# form
AuthType form
AuthName "authenticationform"
# mod_session
Session On
SessionCookieName session path=/;httponly
SessionCryptoPassphrase changeme!really!
</Macro>
<Location "/login/do">
SetHandler form-login-handler
Use Auth
AuthFormLoginSuccessLocation "/tt-rss/"
</Location>
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
DocumentRoot "/var/www"
<Directory "/var/www">
Options None
AllowOverride None
#
# Controls who can get stuff from this server.
#
Use Auth
Require all granted
</Directory>
@ -180,11 +192,17 @@ ProxyPreserveHost On
<Location /tt-rss/>
ProxyPass http://tt-rss/tt-rss/
ProxyPassReverse http://tt-rss/tt-rss/
Use Auth
Require valid-user
RewriteEngine on
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location>
<Location /rss-bridge/>
ProxyPass http://rss-bridge/
ProxyPassReverse http://rss-bridge/
Require all granted
</Location>
# vim: set ft=apache bkc=yes:

View file

@ -0,0 +1 @@
admin:$2y$05$tPaBuT/mWQCvfk1C12PmV.0Dz8kt0cY1jcD53OGCN26Y8dX2kRPs.

View file

@ -0,0 +1,31 @@
<!doctype html>
<html>
<head>
<title>Login required</title>
<link href='http://fonts.googleapis.com/css?family=Roboto+Condensed:300' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="/login/css/style.css" />
<script type="text/javascript">
function init() {
if (localStorage.getItem("tryLogin")) {
document.getElementById("error").className += "show";
localStorage.removeItem("tryLogin");
}
document.getElementById("password").focus();
}
function tryLogin() {
localStorage.setItem("tryLogin", true);
}
</script>
</head>
<body onload="init()">
<div id="content">
<h1>Feedati login</h1>
<form method="POST" action="/login/do" onsubmit="tryLogin()">
<label for="username">Username</label><input type="text" id="username" name="httpd_username" value="friends" />
<label for="password">Password</label><input type="password" id="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
</form>
</div>
</body>
</html>

View file

@ -175,7 +175,7 @@
// if you experience weird errors and tt-rss failing to start, blank pages
// after login, or content encoding errors, disable it.
define('PLUGINS', 'auth_internal, note');
define('PLUGINS', 'auth_proxy, note');
// Comma-separated list of plugins to load automatically for all users.
// System plugins have to be specified here. Please enable at least one
// authentication plugin here (auth_*).
@ -196,4 +196,6 @@
// Expected config version. Please update this option in config.php
// if necessary (after migrating all new options from this file).
define('AUTHPROXY_WHITELIST_NAME', 'feedati-fe');
// vim:ft=php bkc=yes:

View file

@ -5,7 +5,7 @@ from doit.tools import LongRunning
from dodo_utils import wait_net_service, wait_pgsql_db, \
up2date_hasimage, up2date_anyimages, \
run_task_func
run_task_func, scan_dir
COMPOSE = 'docker-compose -p feedati'
DOIT_CONFIG = {'default_tasks': ['up']}
@ -17,8 +17,7 @@ def task_build():
'uptodate': [up2date_anyimages],
'file_dep': ['docker-compose.yml',
'rss-bridge/Dockerfile',
] + [os.path.join('docker', fname)
for fname in os.listdir('docker')],
] + list(scan_dir('docker')),
'actions': [COMPOSE + ' build'],
'clean': [run_task_func(task__build_rm),
run_task_func(task__build_rmi)],

View file

@ -1,5 +1,7 @@
import subprocess
import time
import os
import fnmatch
from doit import loader
@ -32,10 +34,12 @@ def wait_net_service(server, port, timeout=None):
# this exception occurs only if timeout is set
if timeout:
return False
except (ConnectionRefusedError, ConnectionAbortedError):
pass
except socket.error as err:
# catch timeout exception from underlying network library
# this one is different from socket.timeout
if type(err.args) != tuple or err[0] != errno.ETIMEDOUT:
if type(err.args) != tuple or err.errno != errno.ETIMEDOUT:
raise
else:
s.close()
@ -105,3 +109,11 @@ def run_task_func(taskf):
if tasks:
fun.__doc__ = '\n'.join(t.doc for t in tasks)
return fun
def scan_dir(dirname, extension=None):
if extension is None:
extension = '*'
for root, dirnames, filenames in os.walk(dirname):
for fname in fnmatch.filter(filenames, extension):
yield os.path.join(root, fname)