Compare commits

...

12 commits

Author SHA1 Message Date
0e42a12610 [d] Properly redirecting in apache conf 2018-09-19 22:41:27 +02:00
9c3690d969 Merge branch 'central-auth' 2018-09-19 22:29:42 +02:00
aba7cc499f [TT] Updated revision 2018-09-19 22:29:35 +02:00
1edfe60db3 [D] FIX dbprepare: port 5432 was useful!
was removed in d8932f3d82
to be very clean, it should only be used during "dbprepare" phase, but I
found no option to do that from docker-compose only
2018-09-18 20:50:37 +02:00
4f840d4c21 FIX dbprepare: wait_net_service exceptions 2018-09-18 12:33:20 +02:00
ab4d837936 [TT] ttrss check proxy IP 2018-09-17 12:03:33 +02:00
5f19d3b839 no debug 2018-09-05 17:08:02 +02:00
46baadb8a1 FIX doit for docker/ subdirs 2018-09-05 16:56:22 +02:00
54bcd8dbb8 apache auth passed to tt-rss
it still uses htpasswd as authn backend; should move to postgresql
sooner or later
test auth, user=admin pass=password
2018-09-05 16:55:38 +02:00
bf7a75c72f A draft for centralized authentication
using standard Apache modules.
2018-09-04 23:28:07 +02:00
675a5874b8 [BR] cleaner configuration
(completes 906be5506f)
2018-08-22 20:29:07 +02:00
d8932f3d82 hide useless ports 2018-08-22 20:19:32 +02:00
9 changed files with 103 additions and 39 deletions

View file

@ -23,9 +23,6 @@ services:
- ./tt-rss:/app/public/tt-rss/ - ./tt-rss:/app/public/tt-rss/
- ./docker/ttrss-config.php:/app/public/tt-rss/config.php:ro - ./docker/ttrss-config.php:/app/public/tt-rss/config.php:ro
- ./docker/ttrss-apache-tt.conf:/etc/apache2/conf.d/tt.conf:ro - ./docker/ttrss-apache-tt.conf:/etc/apache2/conf.d/tt.conf:ro
ports:
- 8000:80
- 9312:9312
environment: environment:
- APACHE_SERVER_NAME=tt-rss - APACHE_SERVER_NAME=tt-rss
- PHP_DISPLAY_ERRORS=stdout - PHP_DISPLAY_ERRORS=stdout
@ -55,8 +52,6 @@ services:
- ./docker/rssbridge-config.ini.php:/app/public/config.ini.php:ro - ./docker/rssbridge-config.ini.php:/app/public/config.ini.php:ro
- ./docker/rssbridge-config.defines.php:/app/public/config.defines.php:ro - ./docker/rssbridge-config.defines.php:/app/public/config.defines.php:ro
- ./docker/rssbridge-whitelist.txt:/app/public/whitelist.txt:ro - ./docker/rssbridge-whitelist.txt:/app/public/whitelist.txt:ro
ports:
- 8001:80
environment: environment:
- APACHE_SERVER_NAME=rss-bridge - APACHE_SERVER_NAME=rss-bridge
@ -65,6 +60,8 @@ services:
container_name: feedati_webserver container_name: feedati_webserver
volumes: volumes:
- ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro - ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro
- ./docker/frontend-apache/:/etc/apache2/:ro
- ./docker/frontend-login/:/var/www/login/:ro
ports: ports:
- 80:80 - 80:80
depends_on: depends_on:

View file

@ -10,7 +10,7 @@ LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so #LoadModule expires_module modules/mod_expires.so
#LoadModule headers_module modules/mod_headers.so LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so #LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule remoteip_module modules/mod_remoteip.so #LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_module modules/mod_proxy.so
@ -20,7 +20,18 @@ LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule session_module modules/mod_session.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule request_module modules/mod_request.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_file_module modules/mod_authn_file.so
# LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule macro_module modules/mod_macro.so
LoadModule rewrite_module modules/mod_rewrite.so
<IfModule unixd_module> <IfModule unixd_module>
# #
@ -39,37 +50,38 @@ ServerAdmin you@example.com
ServerName feedati-fe:80 ServerName feedati-fe:80
<Macro Auth>
AuthFormLoginRequiredLocation "/login/"
AuthFormLoginRequiredLocation "/login/"
AuthFormProvider file
# authn
AuthFormProvider file
AuthUserFile /etc/apache2/passwords.txt
# form
AuthType form
AuthName "authenticationform"
# mod_session
Session On
SessionCookieName session path=/;httponly
SessionCryptoPassphrase changeme!really!
</Macro>
<Location "/login/do">
SetHandler form-login-handler
Use Auth
AuthFormLoginSuccessLocation "/tt-rss/"
</Location>
<Directory /> <Directory />
AllowOverride none AllowOverride none
Require all denied Require all denied
</Directory> </Directory>
DocumentRoot "/usr/local/apache2/htdocs" DocumentRoot "/var/www"
<Directory "/usr/local/apache2/htdocs"> <Directory "/var/www">
# Options None
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None AllowOverride None
Use Auth
#
# Controls who can get stuff from this server.
#
Require all granted Require all granted
</Directory> </Directory>
@ -176,15 +188,25 @@ LogLevel warn
#AddOutputFilter INCLUDES .shtml #AddOutputFilter INCLUDES .shtml
</IfModule> </IfModule>
Redirect permanent "/tt-rss" "/tt-rss/"
ProxyPreserveHost On ProxyPreserveHost On
<Location /tt-rss/> <Location /tt-rss/>
ProxyPass http://tt-rss/tt-rss/ ProxyPass http://tt-rss/tt-rss/
ProxyPassReverse http://tt-rss/tt-rss/ ProxyPassReverse http://tt-rss/tt-rss/
Use Auth
Require valid-user
RewriteEngine on
RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location> </Location>
Redirect permanent "/rss-bridge" "/rss-bridge/"
<Location /rss-bridge/> <Location /rss-bridge/>
ProxyPass http://rss-bridge/ ProxyPass http://rss-bridge/
ProxyPassReverse http://rss-bridge/ ProxyPassReverse http://rss-bridge/
Require all granted
</Location> </Location>
# vim: set ft=apache bkc=yes: # vim: set ft=apache bkc=yes:

View file

@ -0,0 +1 @@
admin:$2y$05$tPaBuT/mWQCvfk1C12PmV.0Dz8kt0cY1jcD53OGCN26Y8dX2kRPs.

View file

@ -0,0 +1,31 @@
<!doctype html>
<html>
<head>
<title>Login required</title>
<link href='http://fonts.googleapis.com/css?family=Roboto+Condensed:300' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="/login/css/style.css" />
<script type="text/javascript">
function init() {
if (localStorage.getItem("tryLogin")) {
document.getElementById("error").className += "show";
localStorage.removeItem("tryLogin");
}
document.getElementById("password").focus();
}
function tryLogin() {
localStorage.setItem("tryLogin", true);
}
</script>
</head>
<body onload="init()">
<div id="content">
<h1>Feedati login</h1>
<form method="POST" action="/login/do" onsubmit="tryLogin()">
<label for="username">Username</label><input type="text" id="username" name="httpd_username" value="friends" />
<label for="password">Password</label><input type="password" id="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
</form>
</div>
</body>
</html>

View file

@ -175,7 +175,7 @@
// if you experience weird errors and tt-rss failing to start, blank pages // if you experience weird errors and tt-rss failing to start, blank pages
// after login, or content encoding errors, disable it. // after login, or content encoding errors, disable it.
define('PLUGINS', 'auth_internal, note'); define('PLUGINS', 'auth_proxy, note');
// Comma-separated list of plugins to load automatically for all users. // Comma-separated list of plugins to load automatically for all users.
// System plugins have to be specified here. Please enable at least one // System plugins have to be specified here. Please enable at least one
// authentication plugin here (auth_*). // authentication plugin here (auth_*).
@ -196,4 +196,6 @@
// Expected config version. Please update this option in config.php // Expected config version. Please update this option in config.php
// if necessary (after migrating all new options from this file). // if necessary (after migrating all new options from this file).
define('AUTHPROXY_WHITELIST_NAME', 'feedati-fe');
// vim:ft=php bkc=yes: // vim:ft=php bkc=yes:

View file

@ -5,7 +5,7 @@ from doit.tools import LongRunning
from dodo_utils import wait_net_service, wait_pgsql_db, \ from dodo_utils import wait_net_service, wait_pgsql_db, \
up2date_hasimage, up2date_anyimages, \ up2date_hasimage, up2date_anyimages, \
run_task_func run_task_func, scan_dir
COMPOSE = 'docker-compose -p feedati' COMPOSE = 'docker-compose -p feedati'
DOIT_CONFIG = {'default_tasks': ['up']} DOIT_CONFIG = {'default_tasks': ['up']}
@ -17,8 +17,7 @@ def task_build():
'uptodate': [up2date_anyimages], 'uptodate': [up2date_anyimages],
'file_dep': ['docker-compose.yml', 'file_dep': ['docker-compose.yml',
'rss-bridge/Dockerfile', 'rss-bridge/Dockerfile',
] + [os.path.join('docker', fname) ] + list(scan_dir('docker')),
for fname in os.listdir('docker')],
'actions': [COMPOSE + ' build'], 'actions': [COMPOSE + ' build'],
'clean': [run_task_func(task__build_rm), 'clean': [run_task_func(task__build_rm),
run_task_func(task__build_rmi)], run_task_func(task__build_rmi)],

View file

@ -1,5 +1,7 @@
import subprocess import subprocess
import time import time
import os
import fnmatch
from doit import loader from doit import loader
@ -32,10 +34,12 @@ def wait_net_service(server, port, timeout=None):
# this exception occurs only if timeout is set # this exception occurs only if timeout is set
if timeout: if timeout:
return False return False
except (ConnectionRefusedError, ConnectionAbortedError):
pass
except socket.error as err: except socket.error as err:
# catch timeout exception from underlying network library # catch timeout exception from underlying network library
# this one is different from socket.timeout # this one is different from socket.timeout
if type(err.args) != tuple or err[0] != errno.ETIMEDOUT: if type(err.args) != tuple or err.errno != errno.ETIMEDOUT:
raise raise
else: else:
s.close() s.close()
@ -105,3 +109,11 @@ def run_task_func(taskf):
if tasks: if tasks:
fun.__doc__ = '\n'.join(t.doc for t in tasks) fun.__doc__ = '\n'.join(t.doc for t in tasks)
return fun return fun
def scan_dir(dirname, extension=None):
if extension is None:
extension = '*'
for root, dirnames, filenames in os.walk(dirname):
for fname in fnmatch.filter(filenames, extension):
yield os.path.join(root, fname)

@ -1 +1 @@
Subproject commit a86f5e72e8ca75590cf1e5077fc9d1f458ee3da3 Subproject commit c1494adace180fae50d1476fcdec3648423f8ea2

2
tt-rss

@ -1 +1 @@
Subproject commit c925f4e3fdad04442c5c2f542883dbd26c81cc23 Subproject commit d6ab5df482ebe96c849a1c0103d8c6e880699f38