From e9d50f48eb376766ebdb4a7d7e10d15bf863d5a7 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 27 Dec 2018 22:57:30 +0100 Subject: HTTP_X_FORWARDED_PREFIX for cookie path (#2201) Forgotten. Follow-up of https://github.com/FreshRSS/FreshRSS/pull/2191 --- lib/Minz/Session.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index c94f2b646..97b15c4d0 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -61,7 +61,11 @@ class Minz_Session { public static function getCookieDir() { // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; + $cookie_dir = ''; + if (!empty($_SERVER['HTTP_X_FORWARDED_PREFIX'])) { + $cookie_dir .= rtrim($_SERVER['HTTP_X_FORWARDED_PREFIX'], '/ '); + } + $cookie_dir .= empty($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; if (substr($cookie_dir, -1) !== '/') { $cookie_dir = dirname($cookie_dir) . '/'; } -- cgit v1.2.3 From 945cf832ad2c20c10704282d03326d8495d0ca4b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 2 Jan 2019 21:43:05 +0100 Subject: HTTP authenfication fixes (#2204) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Security fixes when HTTP user does not exist in FreshRSS * Accept HTTP header X-WebAuth-User for delegated HTTP Authentication (e.g. Træfik) * Document delegated HTTP authentication from https://github.com/FreshRSS/FreshRSS/pull/2202 --- Docker/README.md | 36 ++++++++++++++++++++++++++++++++++++ app/Controllers/authController.php | 6 +++++- app/Models/Auth.php | 9 +++++---- app/Models/UserDAO.php | 10 +++++----- lib/Minz/Configuration.php | 17 +++++------------ lib/lib_rss.php | 13 ++++++------- 6 files changed, 62 insertions(+), 29 deletions(-) (limited to 'lib') diff --git a/Docker/README.md b/Docker/README.md index 6b3871c6b..b991409bd 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -205,6 +205,42 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \ ## More deployment options +### Use HTTP-based login (advanced users) + +FreshRSS allows logins using either a Web form (easiest) or based on HTTP authentication. +If you want HTTP authentication, [Træfik can do it](https://docs.traefik.io/configuration/entrypoints/#authentication) (otherwise, see section below for giving this task to Apache inside the FreshRSS Docker image): + +``` +sudo docker run ... + --label traefik.frontend.auth.basic.users='admin:$2y$05$BJ3eexf8gkyfHR1L38nVMeQ2RbQ5PF6KW4/PlttXeR6IOGZKH4sbC,alice:$2y$05$0vv8eexRq4qujzyBCYh6a.bo/KUvuXCmjJ54RqEHBApaHdQrpzFJC' \ + --label traefik.frontend.auth.removeheader=true \ + --label traefik.frontend.auth.headerField=X-WebAuth-User \ + --name freshrss freshrss/freshrss +``` + +N.B.: You can create password hashes for instance with: `htpasswd -nB alice` + +### Custom Apache configuration (advanced users) + +Changes in Apache `.htaccess` files are applied when restarting the container. +In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login, and instead of letting Træfik do it), you can mount your own `./FreshRSS/p/i/.htaccess`: + +``` +sudo docker run ... + -v ./your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \ + -v ./your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \ + ... + --name freshrss freshrss/freshrss +``` + +Example of `./your/.htaccess` referring to `./your/.htpasswd`: +``` +AuthUserFile /var/www/FreshRSS/data/.htpasswd +AuthName "FreshRSS" +AuthType Basic +Require valid-user +``` + ### Example with [docker-compose](https://docs.docker.com/compose/) A [docker-compose.yml](docker-compose.yml) file is given as an example, using PostgreSQL. In order to use it, you have to adapt: diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 5ad1a51d9..3b2d78b19 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -79,8 +79,12 @@ class FreshRSS_auth_Controller extends Minz_ActionController { Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin')); break; case 'http_auth': + Minz_Error::error(403, array('error' => array(_t('feedback.access.denied'), + ' [HTTP Remote-User=' . htmlspecialchars(httpAuthUser(), ENT_NOQUOTES, 'UTF-8') . ']' + )), false); + break; case 'none': - // It should not happened! + // It should not happen! Minz_Error::error(404); default: // TODO load plugin instead diff --git a/app/Models/Auth.php b/app/Models/Auth.php index 9c3e31952..513a9cb2f 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -28,13 +28,13 @@ class FreshRSS_Auth { if (self::$login_ok) { self::giveAccess(); - } elseif (self::accessControl()) { - self::giveAccess(); + } elseif (self::accessControl() && self::giveAccess()) { FreshRSS_UserDAO::touch(); } else { // Be sure all accesses are removed! self::removeAccess(); } + return self::$login_ok; } /** @@ -60,7 +60,7 @@ class FreshRSS_Auth { return $current_user != ''; case 'http_auth': $current_user = httpAuthUser(); - $login_ok = $current_user != ''; + $login_ok = $current_user != '' && FreshRSS_UserDAO::exists($current_user); if ($login_ok) { Minz_Session::_param('currentUser', $current_user); } @@ -81,7 +81,7 @@ class FreshRSS_Auth { $user_conf = get_user_configuration($current_user); if ($user_conf == null) { self::$login_ok = false; - return; + return false; } $system_conf = Minz_Configuration::get('system'); @@ -102,6 +102,7 @@ class FreshRSS_Auth { Minz_Session::_param('loginOk', self::$login_ok); Minz_Session::_param('REMOTE_USER', httpAuthUser()); + return self::$login_ok; } /** diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php index 5fb46c947..e9d3a7329 100644 --- a/app/Models/UserDAO.php +++ b/app/Models/UserDAO.php @@ -65,7 +65,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); if ($db['type'] === 'sqlite') { - return unlink(join_path(DATA_PATH, 'users', $username, 'db.sqlite')); + return unlink(USERS_PATH . '/' . $username . '/db.sqlite'); } else { $userPDO = new Minz_ModelPdo($username); @@ -81,18 +81,18 @@ class FreshRSS_UserDAO extends Minz_ModelPdo { } } - public static function exist($username) { - return is_dir(join_path(DATA_PATH, 'users', $username)); + public static function exists($username) { + return is_dir(USERS_PATH . '/' . $username); } public static function touch($username = '') { if (!FreshRSS_user_Controller::checkUsername($username)) { $username = Minz_Session::param('currentUser', '_'); } - return touch(join_path(DATA_PATH, 'users', $username, 'config.php')); + return touch(USERS_PATH . '/' . $username . '/config.php'); } public static function mtime($username) { - return @filemtime(join_path(DATA_PATH, 'users', $username, 'config.php')); + return @filemtime(USERS_PATH . '/' . $username . '/config.php'); } } diff --git a/lib/Minz/Configuration.php b/lib/Minz/Configuration.php index 3e486d68e..aae3accc6 100644 --- a/lib/Minz/Configuration.php +++ b/lib/Minz/Configuration.php @@ -27,23 +27,16 @@ class Minz_Configuration { /** * Parse a file and return its data. * - * If the file does not contain a valid PHP code returning an array, an - * empty array is returned anyway. - * * @param $filename the name of the file to parse. * @return an array of values - * @throws Minz_FileNotExistException if the file does not exist. + * @throws Minz_FileNotExistException if the file does not exist or is invalid. */ public static function load($filename) { - if (!file_exists($filename)) { - throw new Minz_FileNotExistException($filename); - } - - $data = include($filename); + $data = @include($filename); if (is_array($data)) { return $data; } else { - return array(); + throw new Minz_FileNotExistException($filename); } } @@ -117,7 +110,7 @@ class Minz_Configuration { $this->default_filename = $default_filename; $this->_configurationSetter($configuration_setter); - if (!is_null($this->default_filename)) { + if ($this->default_filename != null) { $this->data = self::load($this->default_filename); } @@ -126,7 +119,7 @@ class Minz_Configuration { $this->data, self::load($this->config_filename) ); } catch (Minz_FileNotExistException $e) { - if (is_null($this->default_filename)) { + if ($this->default_filename == null) { throw $e; } } diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 333920c8c..168309563 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -364,9 +364,9 @@ function get_user_configuration($username) { join_path(FRESHRSS_PATH, 'config-user.default.php')); } catch (Minz_ConfigurationNamespaceException $e) { // namespace already exists, do nothing. - Minz_Log::warning($e->getMessage()); + Minz_Log::warning($e->getMessage(), USERS_PATH . '/_/log.txt'); } catch (Minz_FileNotExistException $e) { - Minz_Log::warning($e->getMessage()); + Minz_Log::warning($e->getMessage(), USERS_PATH . '/_/log.txt'); return null; } @@ -375,14 +375,13 @@ function get_user_configuration($username) { function httpAuthUser() { - if (isset($_SERVER['REMOTE_USER'])) { + if (!empty($_SERVER['REMOTE_USER'])) { return $_SERVER['REMOTE_USER']; - } - - if (isset($_SERVER['REDIRECT_REMOTE_USER'])) { + } elseif (!empty($_SERVER['REDIRECT_REMOTE_USER'])) { return $_SERVER['REDIRECT_REMOTE_USER']; + } elseif (!empty($_SERVER['HTTP_X_WEBAUTH_USER'])) { + return $_SERVER['HTTP_X_WEBAUTH_USER']; } - return ''; } -- cgit v1.2.3 From 802c264574902ea44c2c76ae098a6f58911fe114 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 6 Jan 2019 00:46:48 +0100 Subject: Copy syslog to STDERR (#2208) * Use openlog before syslog In order to have a copy on stderr when syslog is not available. * Take advantage of syslog for actualization Pipe cron job STDERR and syslog to Docker log Cf. https://github.com/FreshRSS/FreshRSS/pull/2202/commits/00bd467655b7c060cdae388519b2413d12d8cb0f --- Docker/Dockerfile | 11 +++++------ app/Models/Entry.php | 1 + app/actualize_script.php | 8 ++++++-- cli/_cli.php | 2 +- lib/favicons.php | 1 + lib/lib_install.php | 1 + lib/lib_rss.php | 7 +++++++ p/i/index.php | 2 ++ 8 files changed, 24 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 2a25e567d..db034ff61 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -6,11 +6,10 @@ RUN apk add --no-cache \ php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \ php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql -ENV FRESHRSS_ROOT /var/www/FreshRSS -RUN mkdir -p ${FRESHRSS_ROOT} /run/apache2/ -WORKDIR ${FRESHRSS_ROOT} +RUN mkdir -p /var/www/FreshRSS /run/apache2/ +WORKDIR /var/www/FreshRSS -COPY . ${FRESHRSS_ROOT} +COPY . /var/www/FreshRSS COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ @@ -21,8 +20,8 @@ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ /etc/apache2/httpd.conf && \ sed -r -i "/^\s*(CustomLog|ErrorLog|Listen) /s/^/#/" \ /etc/apache2/httpd.conf && \ - echo "17,37 * * * * php ${FRESHRSS_ROOT}/app/actualize_script.php 2>&1 | tee /tmp/FreshRSS.log" >> \ - /var/spool/cron/crontabs/www-data + echo "17,37 * * * * su apache -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' 2>> /proc/1/fd/2 > /tmp/FreshRSS.log" >> \ + /var/spool/cron/crontabs/root ENV CRON_MIN '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/app/Models/Entry.php b/app/Models/Entry.php index 985276734..f2f3d08fe 100644 --- a/app/Models/Entry.php +++ b/app/Models/Entry.php @@ -209,6 +209,7 @@ class FreshRSS_Entry extends Minz_Model { $feed_timeout = empty($attributes['timeout']) ? 0 : intval($attributes['timeout']); if ($system_conf->simplepie_syslog_enabled) { + prepareSyslog(); syslog(LOG_INFO, 'FreshRSS GET ' . SimplePie_Misc::url_remove_credentials($url)); } diff --git a/app/actualize_script.php b/app/actualize_script.php index ba9660a14..f1dec5640 100755 --- a/app/actualize_script.php +++ b/app/actualize_script.php @@ -12,6 +12,9 @@ if (defined('STDOUT')) { fwrite(STDOUT, 'Starting feed actualization at ' . $begin_date->format('c') . "\n"); //Unbuffered } +prepareSyslog(); +syslog(LOG_INFO, 'FreshRSS Start feeds actualization...'); + // Set the header params ($_GET) to call the FRSS application. $_GET['c'] = 'feed'; $_GET['a'] = 'actualize'; @@ -64,7 +67,7 @@ foreach ($users as $user) { if (!invalidateHttpCache()) { Minz_Log::warning('FreshRSS write access problem in ' . join_path(USERS_PATH, $user, 'log.txt'), ADMIN_LOG); if (defined('STDERR')) { - fwrite(STDERR, 'Write access problem in ' . join_path(USERS_PATH, $user, 'log.txt') . "\n"); + fwrite(STDERR, 'FreshRSS write access problem in ' . join_path(USERS_PATH, $user, 'log.txt') . "\n"); } } } @@ -75,7 +78,8 @@ if (defined('STDOUT')) { $end_date = date_create('now'); $duration = date_diff($end_date, $begin_date); fwrite(STDOUT, 'Ending feed actualization at ' . $end_date->format('c') . "\n"); //Unbuffered - fwrite(STDOUT, 'Feed actualizations took ' . $duration->format('%a day(s), %h hour(s), %i minute(s) and %s seconds') . ' for ' . count($users) . " users\n"); //Unbuffered + fwrite(STDOUT, 'Feed actualizations took ' . $duration->format('%a day(s), %h hour(s), %i minute(s) and %s seconds') . ' for ' . count($users) . " users\n"); //Unbuffered } echo 'End.', "\n"; ob_end_flush(); +syslog(LOG_INFO, 'FreshRSS feeds actualization done.'); diff --git a/cli/_cli.php b/cli/_cli.php index 72629171c..e8fb6ae42 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -4,7 +4,7 @@ if (php_sapi_name() !== 'cli') { } require(__DIR__ . '/../constants.php'); -require(LIB_PATH . '/lib_rss.php'); +require(LIB_PATH . '/lib_rss.php'); //Includes class autoloader require(LIB_PATH . '/lib_install.php'); Minz_Configuration::register('system', diff --git a/lib/favicons.php b/lib/favicons.php index fe2e65f1f..7a2d1187e 100644 --- a/lib/favicons.php +++ b/lib/favicons.php @@ -22,6 +22,7 @@ function isImgMime($content) { } function downloadHttp(&$url, $curlOptions = array()) { + prepareSyslog(); syslog(LOG_INFO, 'FreshRSS Favicon GET ' . $url); if (substr($url, 0, 2) === '//') { $url = 'https:' . $url; diff --git a/lib/lib_install.php b/lib/lib_install.php index d51a37e58..6e4df4e9c 100644 --- a/lib/lib_install.php +++ b/lib/lib_install.php @@ -81,6 +81,7 @@ function generateSalt() { function checkDb(&$dbOptions) { $dsn = ''; $driver_options = null; + prepareSyslog(); try { switch ($dbOptions['type']) { case 'mysql': diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 168309563..738ccf641 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -202,12 +202,19 @@ function html_only_entity_decode($text) { return strtr($text, $htmlEntitiesOnly); } +function prepareSyslog() { + return openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER); +} + function customSimplePie($attributes = array()) { $system_conf = Minz_Configuration::get('system'); $limits = $system_conf->limits; $simplePie = new SimplePie(); $simplePie->set_useragent(FRESHRSS_USERAGENT); $simplePie->set_syslog($system_conf->simplepie_syslog_enabled); + if ($system_conf->simplepie_syslog_enabled) { + prepareSyslog(); + } $simplePie->set_cache_location(CACHE_PATH); $simplePie->set_cache_duration($limits['cache_duration']); diff --git a/p/i/index.php b/p/i/index.php index 5bc9c0d76..8a4f529d4 100755 --- a/p/i/index.php +++ b/p/i/index.php @@ -50,5 +50,7 @@ if (file_exists(DATA_PATH . '/do-install.txt')) { echo '### Fatal error! ###
', "\n"; Minz_Log::error($e->getMessage()); echo 'See logs files.'; + prepareSyslog(); + syslog(LOG_INFO, 'FreshRSS Fatal error! ' . $e->getMessage()); } } -- cgit v1.2.3 From b73d4c807f8bce7090eb0d37cf4448dbb248ba2b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 8 Jan 2019 00:06:01 +0100 Subject: COPY_SYSLOG_TO_STDERR (#2213) Update of https://github.com/FreshRSS/FreshRSS/pull/2208 Fixes https://github.com/FreshRSS/FreshRSS/issues/2212 --- CHANGELOG.md | 2 +- Docker/Dockerfile | 1 + constants.php | 3 +++ lib/lib_rss.php | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/CHANGELOG.md b/CHANGELOG.md index ff306cb7c..ce9ce145f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ * Performance: Disable unused Apache modules * Add option to mount custom `.htaccess` for HTTP authentication * Docker logs gets PHP syslog messages (e.g. from cron job and when fetching external content) - * Send a copy of PHP syslog messages to STDERR [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) + * New environment variable `COPY_SYSLOG_TO_STDERR` or in `constants.local.php` to copy PHP syslog messages to STDERR [#2213](https://github.com/FreshRSS/FreshRSS/pull/2213) * Run Docker cron job with Apache user instead of root [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208) * Accept HTTP header `X-WebAuth-User` for delegated HTTP Authentication [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204) * API diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 52ac5f2fc..7aaee52a0 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -23,6 +23,7 @@ RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \ echo "17,37 * * * * su apache -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' 2>> /proc/1/fd/2 > /tmp/FreshRSS.log" >> \ /var/spool/cron/crontabs/root +ENV COPY_SYSLOG_TO_STDERR On ENV CRON_MIN '' ENTRYPOINT ["./Docker/entrypoint.sh"] diff --git a/constants.php b/constants.php index 3a8c213d4..89eb5cda1 100644 --- a/constants.php +++ b/constants.php @@ -32,6 +32,9 @@ safe_define('FRESHRSS_USERAGENT', 'FreshRSS/' . FRESHRSS_VERSION . ' (' . PHP_OS // PHP text output compression http://php.net/ob_gzhandler (better to do it at Web server level) safe_define('PHP_COMPRESSION', false); +// For cases when syslog is not available +safe_define('COPY_SYSLOG_TO_STDERR', isset($_SERVER['COPY_SYSLOG_TO_STDERR']) ? filter_var($_SERVER['COPY_SYSLOG_TO_STDERR'], FILTER_VALIDATE_BOOLEAN) : false); + // Maximum log file size in Bytes, before it will be divided by two safe_define('MAX_LOG_SIZE', 1048576); diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 738ccf641..89e9ddfea 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -203,7 +203,7 @@ function html_only_entity_decode($text) { } function prepareSyslog() { - return openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER); + return COPY_SYSLOG_TO_STDERR ? openlog("FreshRSS", LOG_PERROR | LOG_PID, LOG_USER) : false; } function customSimplePie($attributes = array()) { -- cgit v1.2.3