From a6623b7b2fa3f026a0ea30e49b1a221f7a4a8e55 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 2 Jan 2019 21:36:33 +0100 Subject: Apache performance (#2202) * Apache performance API: Use SetEnvIf if available and fallback to RewriteRule Docker: Disable unused modules. Docker: Hard-include .htaccess to avoid having to scan for changes in that file. Docker: Disable security check of symlinks, which we do not use ayway. * Apache readme * Docker/Apache tuning Run cron job with correct www-data user instead of root Remove PHP GMP module uneeded for 64-bit Docker image Add option to mount custom .htaccess for HTTP authentication Re-add Apache module for HTTP authentication Move Alpine-specific instructions to Docker file (instead of Apache conf) to make it easier to have other base images than Alpine --- Docker/Dockerfile | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'Docker/Dockerfile') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index cca7bb65e..2a25e567d 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -2,11 +2,9 @@ FROM alpine:3.8 RUN apk add --no-cache \ apache2 php7-apache2 \ - php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \ + php7 php7-curl php7-intl php7-mbstring php7-xml php7-zip \ php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \ - php7-pdo_sqlite \ - php7-pdo_mysql \ - php7-pdo_pgsql + php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql ENV FRESHRSS_ROOT /var/www/FreshRSS RUN mkdir -p ${FRESHRSS_ROOT} /run/apache2/ @@ -15,9 +13,16 @@ WORKDIR ${FRESHRSS_ROOT} COPY . ${FRESHRSS_ROOT} COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/ -RUN sed -r -i "/^[ ]*(CustomLog|ErrorLog|Listen) /s/^/#/" /etc/apache2/httpd.conf && \ +RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ + /etc/apache2/conf.d/status.conf /etc/apache2/conf.d/userdir.conf && \ + sed -r -i "/^\s*LoadModule .*mod_(alias|autoindex|negotiation|status).so$/s/^/#/" \ + /etc/apache2/httpd.conf && \ + sed -r -i "/^\s*#\s*LoadModule .*mod_(deflate|expires|headers|mime|setenvif).so$/s/^\s*#//" \ + /etc/apache2/httpd.conf && \ + sed -r -i "/^\s*(CustomLog|ErrorLog|Listen) /s/^/#/" \ + /etc/apache2/httpd.conf && \ echo "17,37 * * * * php ${FRESHRSS_ROOT}/app/actualize_script.php 2>&1 | tee /tmp/FreshRSS.log" >> \ - /var/spool/cron/crontabs/root + /var/spool/cron/crontabs/www-data ENV CRON_MIN '' ENTRYPOINT ["./Docker/entrypoint.sh"] -- cgit v1.2.3 From 802c264574902ea44c2c76ae098a6f58911fe114 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 6 Jan 2019 00:46:48 +0100 Subject: Copy syslog to STDERR (#2208) * Use openlog before syslog In order to have a copy on stderr when syslog is not available. * Take advantage of syslog for actualization Pipe cron job STDERR and syslog to Docker log Cf. https://github.com/FreshRSS/FreshRSS/pull/2202/commits/00bd467655b7c060cdae388519b2413d12d8cb0f --- Docker/Dockerfile | 11 +++++------ app/Models/Entry.php | 1 + app/actualize_script.php | 8 ++++++-- cli/_cli.php | 2 +- lib/favicons.php | 1 + lib/lib_install.php | 1 + lib/lib_rss.php | 7 +++++++ p/i/index.php | 2 ++ 8 files changed, 24 insertions(+), 9 deletions(-) (limited to 'Docker/Dockerfile') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 2a25e567d..db034ff61 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -6,11 +6,10 @@ RUN apk add --no-cache \ php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \ php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql -ENV FRESHRSS_ROOT /var/www/FreshRSS -RUN mkdir -p ${FRESHRSS_ROOT} /run/apache2/ -WORKDIR ${FRESHRSS_ROOT} +RUN mkdir -p /var/www/FreshRSS /run/apache2/ +WORKDIR /var/www/FreshRSS -COPY . ${FRESHRSS_ROOT} +COPY . /var/www/FreshRSS COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ @@ -21,8 +20,8 @@ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ /etc/apache2/httpd.conf && \ sed -r -i "/^\s*(CustomLog|ErrorLog|Listen) /s/^/#/" \ /etc/apache2/httpd.conf && \ - echo "17,37 * * * * php ${FRESHRSS_ROOT}/app/actualize_script.php 2>&1 | tee /tmp/FreshRSS.log" >> \ - /var/spool/cron/crontabs/www-data + echo "17,37 * * * * su apache -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' 2>> /proc/1/fd/2 > /tmp/FreshRSS.log" >> \ + /var/spool/cron/crontabs/root ENV CRON_MIN '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/app/Models/Entry.php b/app/Models/Entry.php index 985276734..f2f3d08fe 100644 --- a/app/Models/Entry.php +++ b/app/Models/Entry.php @@ -209,6 +209,7 @@ class FreshRSS_Entry extends Minz_Model { $feed_timeout = empty($attributes['timeout']) ? 0 : intval($attributes['timeout']); if ($system_conf->simplepie_syslog_enabled) { + prepareSyslog(); syslog(LOG_INFO, 'FreshRSS GET ' . SimplePie_Misc::url_remove_credentials($url)); } diff --git a/app/actualize_script.php b/app/actualize_script.php index ba9660a14..f1dec5640 100755 --- a/app/actualize_script.php +++ b/app/actualize_script.php @@ -12,6 +12,9 @@ if (defined('STDOUT')) { fwrite(STDOUT, 'Starting feed actualization at ' . $begin_date->format('c') . "\n"); //Unbuffered } +prepareSyslog(); +syslog(LOG_INFO, 'FreshRSS Start feeds actualization...'); + // Set the header params ($_GET) to call the FRSS application. $_GET['c'] = 'feed'; $_GET['a'] = 'actualize'; @@ -64,7 +67,7 @@ foreach ($users as $user) { if (!invalidateHttpCache()) { Minz_Log::warning('FreshRSS write access problem in ' . join_path(USERS_PATH, $user, 'log.txt'), ADMIN_LOG); if (defined('STDERR')) { - fwrite(STDERR, 'Write access problem in ' . join_path(USERS_PATH, $user, 'log.txt') . "\n"); + fwrite(STDERR, 'FreshRSS write access problem in ' . join_path(USERS_PATH, $user, 'log.txt') . "\n"); } } } @@ -75,7 +78,8 @@ if (defined('STDOUT')) { $end_date = date_create('now'); $duration = date_diff($end_date, $begin_date); fwrite(STDOUT, 'Ending feed actualization at ' . $end_date->format('c') . "\n"); //Unbuffered - fwrite(STDOUT, 'Feed actualizations took ' . $duration->format('%a day(s), %h hour(s), %i minute(s) and %s seconds') . ' for ' . count($users) . " users\n"); //Unbuffered + fwrite(STDOUT, 'Feed actualizations took ' . $duration->format('%a day(s), %h hour(s), %i minute(s) and %s seconds') . ' for ' . count($users) . " users\n"); //Unbuffered } echo 'End.', "\n"; ob_end_flush(); +syslog(LOG_INFO, 'FreshRSS feeds actualization done.'); diff --git a/cli/_cli.php b/cli/_cli.php index 72629171c..e8fb6ae42 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -4,7 +4,7 @@ if (php_sapi_name() !== 'cli') { } require(__DIR__ . '/../constants.php'); -require(LIB_PATH . '/lib_rss.php'); +require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader require(LIB_PATH . '/lib_install.php'); Minz_Configuration::register('system', diff --git a/lib/favicons.php b/lib/favicons.php index fe2e65f1f..7a2d1187e 100644 --- a/lib/favicons.php +++ b/lib/favicons.php @@ -22,6 +22,7 @@ function isImgMime($content) { } function downloadHttp(&$url, $curlOptions = array()) { + prepareSyslog(); syslog(LOG_INFO, 'FreshRSS Favicon GET ' . $url); if (substr($url, 0, 2) === '//') { $url = 'https:' . $url; diff --git a/lib/lib_install.php b/lib/lib_install.php index d51a37e58..6e4df4e9c 100644 --- a/lib/lib_install.php +++ b/lib/lib_install.php @@ -81,6 +81,7 @@ function generateSalt() { function checkDb(&$dbOptions) { $dsn = ''; $driver_options = null; + prepareSyslog(); try { switch ($dbOptions['type']) { case 'mysql': diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 168309563..738ccf641 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -202,12 +202,19 @@ function html_only_entity_decode($text) { return strtr($text, $htmlEntitiesOnly); } +function prepareSyslog() { + return openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER); +} + function customSimplePie($attributes = array()) { $system_conf = Minz_Configuration::get('system'); $limits = $system_conf->limits; $simplePie = new SimplePie(); $simplePie->set_useragent(FRESHRSS_USERAGENT); $simplePie->set_syslog($system_conf->simplepie_syslog_enabled); + if ($system_conf->simplepie_syslog_enabled) { + prepareSyslog(); + } $simplePie->set_cache_location(CACHE_PATH); $simplePie->set_cache_duration($limits['cache_duration']); diff --git a/p/i/index.php b/p/i/index.php index 5bc9c0d76..8a4f529d4 100755 --- a/p/i/index.php +++ b/p/i/index.php @@ -50,5 +50,7 @@ if (file_exists(DATA_PATH . '/do-install.txt')) { echo '### Fatal error! ###
', "\n"; Minz_Log::error($e->getMessage()); echo 'See logs files.'; + prepareSyslog(); + syslog(LOG_INFO, 'FreshRSS Fatal error! ' . $e->getMessage()); } } -- cgit v1.2.3 From 15d74d934708896706278574af159a9dcb3a4313 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 6 Jan 2019 12:07:51 +0100 Subject: Changelog + Revert mistakes from 2202 and 2204 (#2210) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * GMP is needed because Alpine on e.g. ARM runs 32-bit https://github.com/FreshRSS/FreshRSS/pull/2202 * Remove documentation for Træfik HTTP authentication as it is not compatible with API https://github.com/FreshRSS/FreshRSS/pull/2204 https://github.com/FreshRSS/FreshRSS/pull/2208 https://github.com/FreshRSS/FreshRSS/pull/2207 --- CHANGELOG.md | 15 +++++++++++++++ Docker/Dockerfile | 2 +- Docker/README.md | 23 ++++------------------- 3 files changed, 20 insertions(+), 20 deletions(-) (limited to 'Docker/Dockerfile') diff --git a/CHANGELOG.md b/CHANGELOG.md index a77c7b703..ff306cb7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,21 @@ * Bug fixing * Fix missing HTTP `X-Forwarded-Prefix` in cookie path behind a reverse-proxy [#2201](https://github.com/FreshRSS/FreshRSS/pull/2201) +* Deployment + * Docker improvements [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202) + * Performance: Hard-include Apache .htaccess to avoid having to scan for changes in those files + * Performance: Disable unused Apache security check of symlinks + * Performance: Disable unused Apache modules + * Add option to mount custom `.htaccess` for HTTP authentication + * Docker logs gets PHP syslog messages (e.g. from cron job and when fetching external content) + * Send a copy of PHP syslog messages to STDERR [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * Run Docker cron job with Apache user instead of root [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * Accept HTTP header `X-WebAuth-User` for delegated HTTP Authentication [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) +* API + * Automatic test of API configuration [#2207](https://github.com/FreshRSS/FreshRSS/pull/2207) + * Use Apache SetEnvIf module if available and fall-back to RewriteRule [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202) +* Security + * Fixes when HTTP user does not exist in FreshRSS [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) ## 2018-12-22 FreshRSS 1.13.0 diff --git a/Docker/Dockerfile b/Docker/Dockerfile index db034ff61..52ac5f2fc 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.8 RUN apk add --no-cache \ apache2 php7-apache2 \ - php7 php7-curl php7-intl php7-mbstring php7-xml php7-zip \ + php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \ php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \ php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql diff --git a/Docker/README.md b/Docker/README.md index b991409bd..1a915f326 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -205,35 +205,20 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ ## More deployment options -### Use HTTP-based login (advanced users) - -FreshRSS allows logins using either a Web form (easiest) or based on HTTP authentication. -If you want HTTP authentication, [Træfik can do it](https://docs.traefik.io/configuration/entrypoints/#authentication) (otherwise, see section below for giving this task to Apache inside the FreshRSS Docker image): - -``` -sudo docker run ... - --label traefik.frontend.auth.basic.users='admin:$2y$05$BJ3eexf8gkyfHR1L38nVMeQ2RbQ5PF6KW4/PlttXeR6IOGZKH4sbC,alice:$2y$05$0vv8eexRq4qujzyBCYh6a.bo/KUvuXCmjJ54RqEHBApaHdQrpzFJC' \ - --label traefik.frontend.auth.removeheader=true \ - --label traefik.frontend.auth.headerField=X-WebAuth-User \ - --name freshrss freshrss/freshrss -``` - -N.B.: You can create password hashes for instance with: `htpasswd -nB alice` - ### Custom Apache configuration (advanced users) Changes in Apache `.htaccess` files are applied when restarting the container. -In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login, and instead of letting Træfik do it), you can mount your own `./FreshRSS/p/i/.htaccess`: +In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login), you can mount your own `./FreshRSS/p/i/.htaccess`: ``` sudo docker run ... - -v ./your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ - -v ./your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ + -v /your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ + -v /your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ ... --name freshrss freshrss/freshrss ``` -Example of `./your/.htaccess` referring to `./your/.htpasswd`: +Example of `/your/.htaccess` referring to `/your/.htpasswd`: ``` AuthUserFile /var/www/FreshRSS/data/.htpasswd AuthName "FreshRSS" -- cgit v1.2.3 From b73d4c807f8bce7090eb0d37cf4448dbb248ba2b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 8 Jan 2019 00:06:01 +0100 Subject: COPY_SYSLOG_TO_STDERR (#2213) Update of https://github.com/FreshRSS/FreshRSS/pull/2208 Fixes https://github.com/FreshRSS/FreshRSS/issues/2212 --- CHANGELOG.md | 2 +- Docker/Dockerfile | 1 + constants.php | 3 +++ lib/lib_rss.php | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) (limited to 'Docker/Dockerfile') diff --git a/CHANGELOG.md b/CHANGELOG.md index ff306cb7c..ce9ce145f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ * Performance: Disable unused Apache modules * Add option to mount custom `.htaccess` for HTTP authentication * Docker logs gets PHP syslog messages (e.g. from cron job and when fetching external content) - * Send a copy of PHP syslog messages to STDERR [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * New environment variable `COPY_SYSLOG_TO_STDERR` or in `constants.local.php` to copy PHP syslog messages to STDERR [#2213](https://github.com/FreshRSS/FreshRSS/pull/2213) * Run Docker cron job with Apache user instead of root [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) * Accept HTTP header `X-WebAuth-User` for delegated HTTP Authentication [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) * API diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 52ac5f2fc..7aaee52a0 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -23,6 +23,7 @@ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ echo "17,37 * * * * su apache -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' 2>> /proc/1/fd/2 > /tmp/FreshRSS.log" >> \ /var/spool/cron/crontabs/root +ENV COPY_SYSLOG_TO_STDERR On ENV CRON_MIN '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/constants.php b/constants.php index 3a8c213d4..89eb5cda1 100644 --- a/constants.php +++ b/constants.php @@ -32,6 +32,9 @@ safe_define('FRESHRSS_USERAGENT', 'FreshRSS/' . FRESHRSS_VERSION . ' (' . PHP_OS // PHP text output compression http://php.net/ob_gzhandler (better to do it at Web server level) safe_define('PHP_COMPRESSION', false); +// For cases when syslog is not available +safe_define('COPY_SYSLOG_TO_STDERR', isset($_SERVER['COPY_SYSLOG_TO_STDERR']) ? filter_var($_SERVER['COPY_SYSLOG_TO_STDERR'], FILTER_VALIDATE_BOOLEAN) : false); + // Maximum log file size in Bytes, before it will be divided by two safe_define('MAX_LOG_SIZE', 1048576); diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 738ccf641..89e9ddfea 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -203,7 +203,7 @@ function html_only_entity_decode($text) { } function prepareSyslog() { - return openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER); + return COPY_SYSLOG_TO_STDERR ? openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER) : false; } function customSimplePie($attributes = array()) { -- cgit v1.2.3 From 4355849ec36efb3aa4b711912abd71e30cf2d5ee Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 16 Jan 2019 22:19:40 +0100 Subject: Docker Alpine PHP timezone (#2218) https://github.com/FreshRSS/FreshRSS/issues/2153 --- Docker/Dockerfile | 2 ++ Docker/README.md | 2 ++ Docker/entrypoint.sh | 2 ++ 3 files changed, 6 insertions(+) (limited to 'Docker/Dockerfile') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 7aaee52a0..a4be9fd84 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -1,5 +1,7 @@ FROM alpine:3.8 +ENV TZ UTC + RUN apk add --no-cache \ apache2 php7-apache2 \ php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \ diff --git a/Docker/README.md b/Docker/README.md index 1a915f326..ac745c49d 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -66,6 +66,7 @@ sudo docker volume create freshrss-data sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ -v freshrss-data:/var/www/FreshRSS/data \ -e 'CRON_MIN=4,34' \ + -e TZ=Europe/Paris \ --net freshrss-network \ --label traefik.port=80 \ --label traefik.frontend.rule='Host:freshrss.example.net' \ @@ -74,6 +75,7 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ --name freshrss freshrss/freshrss ``` +* Replace `TZ=Europe/Paris` by your [server timezone](http://php.net/timezones), or remove the line to use `UTC`. * If you cannot have FreshRSS at the root of a dedicated domain, update the command above according to the following model: `--label traefik.frontend.rule='Host:freshrss.example.net;PathPrefixStrip:/FreshRSS/' \` * You may remove the `--label traefik.*` lines if you do not use Træfik. diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index d4e1808bc..528388073 100755 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -5,6 +5,8 @@ php -f ./cli/prepare.php > /dev/null chown -R :www-data . chmod -R g+r . && chmod -R g+w ./data/ +find /etc/php*/ -name php.ini -exec sed -r -i "\#^;?date.timezone#s#^.*#date.timezone = $TZ#" {} \; + if [ -n "$CRON_MIN" ]; then sed -r -i "\#FreshRSS#s#^[^ ]+ #$CRON_MIN #" /var/spool/cron/crontabs/root fi -- cgit v1.2.3