| Age | Commit message (Collapse) | Author |
|---|
|
* Better comments in our Docker images
* Make `cli/access-permissions.sh` compatible with other Apache groups such as `http` for Linux Arch
* Better `/Docker/entrypoint.sh` supporting various Apache configuration paths (and slightly faster).
* Add test image for Linux Arch (not sure we will keep it)
See
* https://github.com/FreshRSS/FreshRSS/pull/8279#issuecomment-3620674818
|
|
(#7793)
* Optimize how much data needs to be `chown`/`chmod`ed on container startup
This works around an issue where `chmod`/`chown` operations inside a
container can be extremely slow when using the `overlay2` storage
driver, resulting in 10min+ container startup times.
It modifies the owner of the webapp when building the container so that
only the `data` and `extensions` directories (which are commonly mapped
as volumes into the container) have to be modified by the
`access-permissions.sh` script at container startup.
When not running via docker the behaviour of the `access-permissions.sh`
script is unchanged.
* Take DATA_PATH environment variable into account when fixing permissions
* Revert change to using bash for arrays
(the alpine image doesn't include `bash`)
* A few more improvements
* Slightly tweak reapply permissions variable
- lowercase to indicate it's not an env variable
- use 0/1 to address potentially-irrational paranoia about unset variables
* Remove conditional logic to skip reapplying permissions
Also documents why in a comment so it's not missed in the future.
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Closes https://github.com/FreshRSS/FreshRSS/issues/7300
Interpolate `FRESHRSS_INSTALL` and `FRESHRSS_USER` at runtime to allow secrets being passed as environment variables
|
|
Single `find` and single `sed` command instead of 3
|
|
* Fix OIDC session params definition
- standardize environment variable names
- group all in the same configuration file
- use mod_auth_openidc default values
- fix `OIDCSessionMaxDuration` because it was not set with the previous
code
- add documentation
* Add double quoting to prevent globbing and word splitting
* Revert line deleted by mistake
|
|
* add OIDCSessionMaxDuration and OIDCSessionInactivityTimeout
* entrypoint.sh OIDCSessionMaxDuration and Session fix
* fix: entrypoint.sh OIDCSessionMaxDuration and OIDCSessionInactivityTimeout and Alpine support
* Use Apache config file instead
* Spelling
* fixed after restarting the double OIDC lines
* Refactor
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
Avoid keeping environment variables used for init.
Improvement of https://github.com/FreshRSS/FreshRSS/pull/5795
Spotted when checking https://github.com/FreshRSS/FreshRSS/issues/5894
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/5792
regression from https://github.com/FreshRSS/FreshRSS/pull/5772
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/5770
Note, the syntax complying with https://www.shellcheck.net/wiki/SC2002 does not seem to work in ash / Alpine
|
|
* Prepare Alpine OIDC
* Prepare syntax for OpenID Connect in Alpine.
* Update :newest Alpine development image to PHP 8.3
* Fix a little bug in test of OIDC_SCOPES
* Changelog + syntax
* shellchecks
|
|
fix https://github.com/FreshRSS/FreshRSS/issues/5744
|
|
* Use RemoteIPInternalProxy directive of remoteip Apache module
instead of RemoteIPTrustedProxy directive
To allow internal IPs to be trusted: for internal clients,
and also for the case of chained internal reverse-proxies
Fixes #5726
* One last reference forgotten
---------
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
|
|
* Update entrypoint.sh to avoid a warning on non-numeric TRUSTED_PROXY env var
Fixes #5732 5732
* Use POSIX-compatible syntax
* Fix POSIX syntax
|
|
* Rework trusted proxies
Fix https://github.com/FreshRSS/FreshRSS/issues/5502
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/3226
New environment variable `TRUSTED_PROXY`: set to 0 to disable, or to a list of trusted IP ranges compatible with https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
New internal environment variable `CONN_REMOTE_ADDR` to remember the true IP address of the connection (e.g. last proxy), even when using mod_remoteip.
Current working setups should not observe any significant change.
* Minor whitespace
* Safer trusted sources during install
Rework of https://github.com/FreshRSS/FreshRSS/pull/5358
https://github.com/FreshRSS/FreshRSS/issues/5357
* Minor readme
|
|
|
|
Quiet output for a2enmod, a2dismod, a2disconf, a2dissite, a2ensite to avoid many messages the following, which are not even relevant because Apache is not yet started at this stage:
```
To activate the new configuration, you need to run:
systemctl restart apache2
```
Related to https://github.com/FreshRSS/FreshRSS/pull/5463
|
|
Only enable the Apache auth_openidc module when actually used
Fix https://github.com/FreshRSS/FreshRSS/issues/5460
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/5351
|
|
* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037
* Minor simplification
* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
|
|
To ease adding custom extensions such as in https://github.com/FreshRSS/Extensions/issues/37#issuecomment-1363474585
|
|
* Docker Alpine timezone for :newest and :oldest
Follow-up of https://github.com/FreshRSS/FreshRSS/pull/4903
Forgot the development images Newest and Oldest
* Uniform timezone behaviour
* shellcheck
* A bit more documentation
|
|
Remove output buffering during auto-install of FreshRSS and auto-creation of the default user.
We were only getting outputs at the end of each command, which was a problem for getting errors and progress, for instance when automatically importing a very large OPML
|
|
Should be done during build and not during entrypoint, to avoid modifying a potential volume (e.g. mounting the source code as a volume is used during development).
|
|
#fix https://github.com/FreshRSS/FreshRSS/pull/3927/files#r735146297
The path `/var/www/FreshRSS/` might be a Docker volume, breaking files created there during Docker build
|
|
Adding the crontab as part of the image build makes it more complicated
to add custom entries to the crontab. Adjusting the image and entrypoint
to make it so that the crontab is only added when CRON_MIN is set
simplifies having a custom crontab.
|
|
#fix https://github.com/FreshRSS/FreshRSS/issues/3495
|
|
* Possiblity to autoinstall in Docker Compose
#fix https://github.com/FreshRSS/FreshRSS/issues/3349
It is simply calling our existing CLI: do-install.php and
create-user.php
https://github.com/FreshRSS/FreshRSS/tree/master/cli
FreshRSS will typically be ready a few seconds before the database, so
introduce a tolerance when the database is not available / up (yet) by
trying a few times to connect. Also useful to avoid service interruption
when DB service is restarted.
Example:
```yml
freshrss-app:
image: freshrss/freshrss
container_name:
freshrss-app
hostname: freshrss-app
restart: unless-stopped
ports:
- "8080:80"
depends_on:
- freshrss-db
volumes:
- data:/var/www/FreshRSS/data
-
extensions:/var/www/FreshRSS/extensions
environment:
CRON_MIN:
'*/20'
FRESHRSS_ENV: development
FRESHRSS_INSTALL: |-
--api_enabled
--base_url https://rss.example.net
--db-base freshrss
--db-host freshrss-db
--db-password
freshrss
--db-type pgsql
--db-user freshrss
--default_user admin
--language en
FRESHRSS_USER: |-
--api_password freshrss
--email user@example.net
--language en
--password freshrss
--user admin
TZ:
Europe/Paris
```
* Minor type f in find
* shellcheck
|
|
#fix https://github.com/FreshRSS/FreshRSS/issues/3341
New environment variable `LISTEN='0.0.0.0:8080'`
```
docker run -d --network host --uts host -e LISTEN='0.0.0.0:8080' -e
TZ=Europe/Paris --name freshrss freshrss/freshrss
```
|
|
cron job was not passed the environment variable FRESHRSS_ENV as it
should
This resulted in messages during cron to not be logged according to
FRESHRSS_ENV level
|
|
* New environment variable COPY_LOG_TO_SYSLOG
False by default.
Makes it easy to monitor all logs from Syslog or STDERR (e.g. docker
logs).
* Suggestion of native constants
|
|
* Increase import size
This is merely a temporary workaround to allow at least some medium size
imports
https://framateam.org/freshrss/pl/7wbt4tcyetrfmris9xdcbq7uuw
The import module should be rewritten to process files one by one and as
data streams instead of loading multiple copies of the whole dataset in
memory as is the case now :-(
https://github.com/FreshRSS/FreshRSS/issues/1890
Note that the new SQLite export/import is distinct from this case.
* Use parameter
|
|
* [CI] Run shellcheck and shfmt
Cf. https://github.com/FreshRSS/FreshRSS/pull/2436#discussion_r305640019
* rename
* no need for disable anymore
* also remove leftover indentation flags even if it makes no difference to syntax checking
* define colors and reset before exit for local use
|
|
Fix environment variable bug
|
|
Misc. from https://github.com/FreshRSS/FreshRSS/pull/2325
https://github.com/FreshRSS/FreshRSS/issues/2319
|
|
https://github.com/FreshRSS/FreshRSS/issues/2153
|
|
https://github.com/FreshRSS/FreshRSS/pull/2208
|
|
* Apache performance
API: Use SetEnvIf if available and fallback to RewriteRule
Docker: Disable unused modules.
Docker: Hard-include .htaccess to avoid having to scan for changes in
that file.
Docker: Disable security check of symlinks, which we do not use ayway.
* Apache readme
* Docker/Apache tuning
Run cron job with correct www-data user instead of root
Remove PHP GMP module uneeded for 64-bit Docker image
Add option to mount custom .htaccess for HTTP authentication
Re-add Apache module for HTTP authentication
Move Alpine-specific instructions to Docker file (instead of Apache
conf) to make it easier to have other base images than Alpine
|
|
* Escape cron step values with backslash
Escape cron step values with backslash in $CRON_MIN
* Change sed delimiter to allow unescaped slashes
|
|
* cron in Docker image
https://github.com/FreshRSS/FreshRSS/issues/1869
* Fix cron CMD
* Minor readme
* Docker run d instead of dit
There should not be a need for STDIN or TTY
* Minor sed param
|
Alexandre Alapetite
Carey Metcalfe
Tarow
pando85
нездалисько
Mossroy
Zhaofeng Li
Chris Francy
Frans de Jonge
Jan
