From bf7a75c72f0cb39ea325bd542760f0a7bcabf867 Mon Sep 17 00:00:00 2001 From: boyska Date: Tue, 4 Sep 2018 23:28:07 +0200 Subject: [PATCH 1/7] A draft for centralized authentication using standard Apache modules. --- docker-compose.yml | 1 + docker/frontend-apache.conf | 67 ++++++++++++++++++++------------ docker/frontend-login/index.html | 31 +++++++++++++++ 3 files changed, 74 insertions(+), 25 deletions(-) create mode 100644 docker/frontend-login/index.html diff --git a/docker-compose.yml b/docker-compose.yml index 4258ed7..a7ef2a8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -58,6 +58,7 @@ services: container_name: feedati_webserver volumes: - ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro + - ./docker/frontend-login/:/var/www/login/:ro ports: - 80:80 depends_on: diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf index befe9ff..b6c26c0 100644 --- a/docker/frontend-apache.conf +++ b/docker/frontend-apache.conf @@ -20,6 +20,18 @@ LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so + +LoadModule session_module modules/mod_session.so +LoadModule session_crypto_module modules/mod_session_crypto.so +LoadModule session_cookie_module modules/mod_session_cookie.so +LoadModule request_module modules/mod_request.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule auth_form_module modules/mod_auth_form.so +LoadModule authn_file_module modules/mod_authn_file.so +# LoadModule authn_dbm_module modules/mod_authn_dbm.so + +LoadModule macro_module modules/mod_macro.so + #LoadModule rewrite_module modules/mod_rewrite.so @@ -39,37 +51,38 @@ ServerAdmin you@example.com ServerName feedati-fe:80 + + AuthFormLoginRequiredLocation "/login/" + AuthFormLoginRequiredLocation "/login/" + AuthFormProvider file +# authn + AuthFormProvider file + AuthUserFile /etc/apache2/passwords.txt +# form + AuthType form + AuthName "authenticationform" +# mod_session + Session On + SessionCookieName session path=/;httponly + SessionCryptoPassphrase changeme!really! + + + +SetHandler form-login-handler +Use Auth +AuthFormLoginSuccessLocation "/tt-rss/" + + AllowOverride none Require all denied -DocumentRoot "/usr/local/apache2/htdocs" - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # AllowOverride FileInfo AuthConfig Limit - # +DocumentRoot "/var/www" + + Options None AllowOverride None - - # - # Controls who can get stuff from this server. - # + Use Auth Require all granted @@ -180,11 +193,15 @@ ProxyPreserveHost On ProxyPass http://tt-rss/tt-rss/ ProxyPassReverse http://tt-rss/tt-rss/ + +Use Auth +Require valid-user ProxyPass http://rss-bridge/ ProxyPassReverse http://rss-bridge/ +Require all granted # vim: set ft=apache bkc=yes: diff --git a/docker/frontend-login/index.html b/docker/frontend-login/index.html new file mode 100644 index 0000000..8ff1c8b --- /dev/null +++ b/docker/frontend-login/index.html @@ -0,0 +1,31 @@ + + + + Login required + + + + + +
+

Feedati login

+
+ + + +
+
+ + From 54bcd8dbb8c0da8e4488e78b6f86208107d6558b Mon Sep 17 00:00:00 2001 From: boyska Date: Wed, 5 Sep 2018 16:51:12 +0200 Subject: [PATCH 2/7] apache auth passed to tt-rss it still uses htpasswd as authn backend; should move to postgresql sooner or later test auth, user=admin pass=password --- docker-compose.yml | 1 + docker/frontend-apache.conf | 11 ++++++----- docker/frontend-apache/passwords.txt | 1 + docker/ttrss-config.php | 2 +- tt-rss | 2 +- 5 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 docker/frontend-apache/passwords.txt diff --git a/docker-compose.yml b/docker-compose.yml index a7ef2a8..1a93dc5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -58,6 +58,7 @@ services: container_name: feedati_webserver volumes: - ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro + - ./docker/frontend-apache/:/etc/apache2/:ro - ./docker/frontend-login/:/var/www/login/:ro ports: - 80:80 diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf index b6c26c0..f8a7c81 100644 --- a/docker/frontend-apache.conf +++ b/docker/frontend-apache.conf @@ -10,7 +10,7 @@ LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so #LoadModule expires_module modules/mod_expires.so -#LoadModule headers_module modules/mod_headers.so +LoadModule headers_module modules/mod_headers.so #LoadModule setenvif_module modules/mod_setenvif.so #LoadModule remoteip_module modules/mod_remoteip.so LoadModule proxy_module modules/mod_proxy.so @@ -31,8 +31,7 @@ LoadModule authn_file_module modules/mod_authn_file.so # LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule macro_module modules/mod_macro.so - -#LoadModule rewrite_module modules/mod_rewrite.so +LoadModule rewrite_module modules/mod_rewrite.so # @@ -101,7 +100,7 @@ ErrorLog /proc/self/fd/2 # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. -LogLevel warn +LogLevel trace1 # @@ -193,9 +192,11 @@ ProxyPreserveHost On ProxyPass http://tt-rss/tt-rss/ ProxyPassReverse http://tt-rss/tt-rss/ - Use Auth Require valid-user +RewriteEngine on +RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS] +RequestHeader set X-Forwarded-User %{RU}e diff --git a/docker/frontend-apache/passwords.txt b/docker/frontend-apache/passwords.txt new file mode 100644 index 0000000..1a1c6ad --- /dev/null +++ b/docker/frontend-apache/passwords.txt @@ -0,0 +1 @@ +admin:$2y$05$tPaBuT/mWQCvfk1C12PmV.0Dz8kt0cY1jcD53OGCN26Y8dX2kRPs. diff --git a/docker/ttrss-config.php b/docker/ttrss-config.php index 868270e..7b32ee6 100644 --- a/docker/ttrss-config.php +++ b/docker/ttrss-config.php @@ -175,7 +175,7 @@ // if you experience weird errors and tt-rss failing to start, blank pages // after login, or content encoding errors, disable it. - define('PLUGINS', 'auth_internal, note'); + define('PLUGINS', 'auth_proxy, note'); // Comma-separated list of plugins to load automatically for all users. // System plugins have to be specified here. Please enable at least one // authentication plugin here (auth_*). diff --git a/tt-rss b/tt-rss index c925f4e..7e1a483 160000 --- a/tt-rss +++ b/tt-rss @@ -1 +1 @@ -Subproject commit c925f4e3fdad04442c5c2f542883dbd26c81cc23 +Subproject commit 7e1a483db2644f8da14c5ea6072ed55fcd75bcba From 46baadb8a19fed47dc1120ed2c6ad622750fd497 Mon Sep 17 00:00:00 2001 From: boyska Date: Wed, 5 Sep 2018 16:53:04 +0200 Subject: [PATCH 3/7] FIX doit for docker/ subdirs --- dodo.py | 5 ++--- dodo_utils.py | 10 ++++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/dodo.py b/dodo.py index 1cc3ef5..af562bf 100644 --- a/dodo.py +++ b/dodo.py @@ -5,7 +5,7 @@ from doit.tools import LongRunning from dodo_utils import wait_net_service, wait_pgsql_db, \ up2date_hasimage, up2date_anyimages, \ - run_task_func + run_task_func, scan_dir COMPOSE = 'docker-compose -p feedati' DOIT_CONFIG = {'default_tasks': ['up']} @@ -17,8 +17,7 @@ def task_build(): 'uptodate': [up2date_anyimages], 'file_dep': ['docker-compose.yml', 'rss-bridge/Dockerfile', - ] + [os.path.join('docker', fname) - for fname in os.listdir('docker')], + ] + list(scan_dir('docker')), 'actions': [COMPOSE + ' build'], 'clean': [run_task_func(task__build_rm), run_task_func(task__build_rmi)], diff --git a/dodo_utils.py b/dodo_utils.py index 215821c..66734db 100644 --- a/dodo_utils.py +++ b/dodo_utils.py @@ -1,5 +1,7 @@ import subprocess import time +import os +import fnmatch from doit import loader @@ -105,3 +107,11 @@ def run_task_func(taskf): if tasks: fun.__doc__ = '\n'.join(t.doc for t in tasks) return fun + + +def scan_dir(dirname, extension=None): + if extension is None: + extension = '*' + for root, dirnames, filenames in os.walk(dirname): + for fname in fnmatch.filter(filenames, extension): + yield os.path.join(root, fname) From 5f19d3b839c7062de4943844416c89b5140a92bd Mon Sep 17 00:00:00 2001 From: boyska Date: Wed, 5 Sep 2018 17:08:02 +0200 Subject: [PATCH 4/7] no debug --- docker/frontend-apache.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf index f8a7c81..e695633 100644 --- a/docker/frontend-apache.conf +++ b/docker/frontend-apache.conf @@ -100,7 +100,7 @@ ErrorLog /proc/self/fd/2 # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. -LogLevel trace1 +LogLevel warn # From ab4d837936997dc16b6ce19e4430e63f14cbe76a Mon Sep 17 00:00:00 2001 From: boyska Date: Mon, 17 Sep 2018 12:03:33 +0200 Subject: [PATCH 5/7] [TT] ttrss check proxy IP --- docker/ttrss-config.php | 2 ++ tt-rss | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docker/ttrss-config.php b/docker/ttrss-config.php index 7b32ee6..2cf3e36 100644 --- a/docker/ttrss-config.php +++ b/docker/ttrss-config.php @@ -196,4 +196,6 @@ // Expected config version. Please update this option in config.php // if necessary (after migrating all new options from this file). + define('AUTHPROXY_WHITELIST_NAME', 'feedati-fe'); + // vim:ft=php bkc=yes: diff --git a/tt-rss b/tt-rss index 7e1a483..d6ab5df 160000 --- a/tt-rss +++ b/tt-rss @@ -1 +1 @@ -Subproject commit 7e1a483db2644f8da14c5ea6072ed55fcd75bcba +Subproject commit d6ab5df482ebe96c849a1c0103d8c6e880699f38 From 4f840d4c212a13e4e7c025c10cd0f6fbce62a4bd Mon Sep 17 00:00:00 2001 From: boyska Date: Tue, 18 Sep 2018 12:33:20 +0200 Subject: [PATCH 6/7] FIX dbprepare: wait_net_service exceptions --- dodo_utils.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dodo_utils.py b/dodo_utils.py index 66734db..66e3165 100644 --- a/dodo_utils.py +++ b/dodo_utils.py @@ -34,10 +34,12 @@ def wait_net_service(server, port, timeout=None): # this exception occurs only if timeout is set if timeout: return False + except (ConnectionRefusedError, ConnectionAbortedError): + pass except socket.error as err: # catch timeout exception from underlying network library # this one is different from socket.timeout - if type(err.args) != tuple or err[0] != errno.ETIMEDOUT: + if type(err.args) != tuple or err.errno != errno.ETIMEDOUT: raise else: s.close() From 1edfe60db3ef9188025110925b986e496c8e3e75 Mon Sep 17 00:00:00 2001 From: boyska Date: Tue, 18 Sep 2018 20:50:37 +0200 Subject: [PATCH 7/7] [D] FIX dbprepare: port 5432 was useful! was removed in d8932f3d828baf77273 to be very clean, it should only be used during "dbprepare" phase, but I found no option to do that from docker-compose only --- docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 1a93dc5..416c9bf 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,8 @@ services: - POSTGRES_USER=ttrss - POSTGRES_PASSWORD=password-dev - POSTGRES_DB=ttrss + ports: + - 5432:5432 tt-rss: image: feedati/tt-rss:latest