From 945cf832ad2c20c10704282d03326d8495d0ca4b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 2 Jan 2019 21:43:05 +0100 Subject: HTTP authenfication fixes (#2204) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Security fixes when HTTP user does not exist in FreshRSS * Accept HTTP header X-WebAuth-User for delegated HTTP Authentication (e.g. Træfik) * Document delegated HTTP authentication from https://github.com/FreshRSS/FreshRSS/pull/2202 --- Docker/README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'Docker/README.md') diff --git a/Docker/README.md b/Docker/README.md index 6b3871c6b..b991409bd 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -205,6 +205,42 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ ## More deployment options +### Use HTTP-based login (advanced users) + +FreshRSS allows logins using either a Web form (easiest) or based on HTTP authentication. +If you want HTTP authentication, [Træfik can do it](https://docs.traefik.io/configuration/entrypoints/#authentication) (otherwise, see section below for giving this task to Apache inside the FreshRSS Docker image): + +``` +sudo docker run ... + --label traefik.frontend.auth.basic.users='admin:$2y$05$BJ3eexf8gkyfHR1L38nVMeQ2RbQ5PF6KW4/PlttXeR6IOGZKH4sbC,alice:$2y$05$0vv8eexRq4qujzyBCYh6a.bo/KUvuXCmjJ54RqEHBApaHdQrpzFJC' \ + --label traefik.frontend.auth.removeheader=true \ + --label traefik.frontend.auth.headerField=X-WebAuth-User \ + --name freshrss freshrss/freshrss +``` + +N.B.: You can create password hashes for instance with: `htpasswd -nB alice` + +### Custom Apache configuration (advanced users) + +Changes in Apache `.htaccess` files are applied when restarting the container. +In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login, and instead of letting Træfik do it), you can mount your own `./FreshRSS/p/i/.htaccess`: + +``` +sudo docker run ... + -v ./your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ + -v ./your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ + ... + --name freshrss freshrss/freshrss +``` + +Example of `./your/.htaccess` referring to `./your/.htpasswd`: +``` +AuthUserFile /var/www/FreshRSS/data/.htpasswd +AuthName "FreshRSS" +AuthType Basic +Require valid-user +``` + ### Example with [docker-compose](https://docs.docker.com/compose/) A [docker-compose.yml](docker-compose.yml) file is given as an example, using PostgreSQL. In order to use it, you have to adapt: -- cgit v1.2.3 From 15d74d934708896706278574af159a9dcb3a4313 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 6 Jan 2019 12:07:51 +0100 Subject: Changelog + Revert mistakes from 2202 and 2204 (#2210) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * GMP is needed because Alpine on e.g. ARM runs 32-bit https://github.com/FreshRSS/FreshRSS/pull/2202 * Remove documentation for Træfik HTTP authentication as it is not compatible with API https://github.com/FreshRSS/FreshRSS/pull/2204 https://github.com/FreshRSS/FreshRSS/pull/2208 https://github.com/FreshRSS/FreshRSS/pull/2207 --- CHANGELOG.md | 15 +++++++++++++++ Docker/Dockerfile | 2 +- Docker/README.md | 23 ++++------------------- 3 files changed, 20 insertions(+), 20 deletions(-) (limited to 'Docker/README.md') diff --git a/CHANGELOG.md b/CHANGELOG.md index a77c7b703..ff306cb7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,21 @@ * Bug fixing * Fix missing HTTP `X-Forwarded-Prefix` in cookie path behind a reverse-proxy [#2201](https://github.com/FreshRSS/FreshRSS/pull/2201) +* Deployment + * Docker improvements [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202) + * Performance: Hard-include Apache .htaccess to avoid having to scan for changes in those files + * Performance: Disable unused Apache security check of symlinks + * Performance: Disable unused Apache modules + * Add option to mount custom `.htaccess` for HTTP authentication + * Docker logs gets PHP syslog messages (e.g. from cron job and when fetching external content) + * Send a copy of PHP syslog messages to STDERR [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * Run Docker cron job with Apache user instead of root [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * Accept HTTP header `X-WebAuth-User` for delegated HTTP Authentication [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) +* API + * Automatic test of API configuration [#2207](https://github.com/FreshRSS/FreshRSS/pull/2207) + * Use Apache SetEnvIf module if available and fall-back to RewriteRule [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202) +* Security + * Fixes when HTTP user does not exist in FreshRSS [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) ## 2018-12-22 FreshRSS 1.13.0 diff --git a/Docker/Dockerfile b/Docker/Dockerfile index db034ff61..52ac5f2fc 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:3.8 RUN apk add --no-cache \ apache2 php7-apache2 \ - php7 php7-curl php7-intl php7-mbstring php7-xml php7-zip \ + php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \ php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \ php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql diff --git a/Docker/README.md b/Docker/README.md index b991409bd..1a915f326 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -205,35 +205,20 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ ## More deployment options -### Use HTTP-based login (advanced users) - -FreshRSS allows logins using either a Web form (easiest) or based on HTTP authentication. -If you want HTTP authentication, [Træfik can do it](https://docs.traefik.io/configuration/entrypoints/#authentication) (otherwise, see section below for giving this task to Apache inside the FreshRSS Docker image): - -``` -sudo docker run ... - --label traefik.frontend.auth.basic.users='admin:$2y$05$BJ3eexf8gkyfHR1L38nVMeQ2RbQ5PF6KW4/PlttXeR6IOGZKH4sbC,alice:$2y$05$0vv8eexRq4qujzyBCYh6a.bo/KUvuXCmjJ54RqEHBApaHdQrpzFJC' \ - --label traefik.frontend.auth.removeheader=true \ - --label traefik.frontend.auth.headerField=X-WebAuth-User \ - --name freshrss freshrss/freshrss -``` - -N.B.: You can create password hashes for instance with: `htpasswd -nB alice` - ### Custom Apache configuration (advanced users) Changes in Apache `.htaccess` files are applied when restarting the container. -In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login, and instead of letting Træfik do it), you can mount your own `./FreshRSS/p/i/.htaccess`: +In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login), you can mount your own `./FreshRSS/p/i/.htaccess`: ``` sudo docker run ... - -v ./your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ - -v ./your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ + -v /your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ + -v /your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ ... --name freshrss freshrss/freshrss ``` -Example of `./your/.htaccess` referring to `./your/.htpasswd`: +Example of `/your/.htaccess` referring to `/your/.htpasswd`: ``` AuthUserFile /var/www/FreshRSS/data/.htpasswd AuthName "FreshRSS" -- cgit v1.2.3 From 4355849ec36efb3aa4b711912abd71e30cf2d5ee Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 16 Jan 2019 22:19:40 +0100 Subject: Docker Alpine PHP timezone (#2218) https://github.com/FreshRSS/FreshRSS/issues/2153 --- Docker/Dockerfile | 2 ++ Docker/README.md | 2 ++ Docker/entrypoint.sh | 2 ++ 3 files changed, 6 insertions(+) (limited to 'Docker/README.md') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 7aaee52a0..a4be9fd84 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -1,5 +1,7 @@ FROM alpine:3.8 +ENV TZ UTC + RUN apk add --no-cache \ apache2 php7-apache2 \ php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \ diff --git a/Docker/README.md b/Docker/README.md index 1a915f326..ac745c49d 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -66,6 +66,7 @@ sudo docker volume create freshrss-data sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ -v freshrss-data:/var/www/FreshRSS/data \ -e 'CRON_MIN=4,34' \ + -e TZ=Europe/Paris \ --net freshrss-network \ --label traefik.port=80 \ --label traefik.frontend.rule='Host:freshrss.example.net' \ @@ -74,6 +75,7 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ --name freshrss freshrss/freshrss ``` +* Replace `TZ=Europe/Paris` by your [server timezone](http://php.net/timezones), or remove the line to use `UTC`. * If you cannot have FreshRSS at the root of a dedicated domain, update the command above according to the following model: `--label traefik.frontend.rule='Host:freshrss.example.net;PathPrefixStrip:/FreshRSS/' \` * You may remove the `--label traefik.*` lines if you do not use Træfik. diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh index d4e1808bc..528388073 100755 --- a/Docker/entrypoint.sh +++ b/Docker/entrypoint.sh @@ -5,6 +5,8 @@ php -f ./cli/prepare.php > /dev/null chown -R :www-data . chmod -R g+r . && chmod -R g+w ./data/ +find /etc/php*/ -name php.ini -exec sed -r -i "\#^;?date.timezone#s#^.*#date.timezone = $TZ#" {} \; + if [ -n "$CRON_MIN" ]; then sed -r -i "\#FreshRSS#s#^[^ ]+ #$CRON_MIN #" /var/spool/cron/crontabs/root fi -- cgit v1.2.3