Set the default firewall zone. When network connections are configured
outside of FreedomBox/Plinth, they will not be able to serve the Plinth
web interface. This is because all such interfaces will fall in the
default firewall zone and that is, by default, 'public'. On 'public'
zone we don't allow Plinth web interface as this zone is not managed.
Configuration of network connections happen outside for
FreedomBox/Plinth for various reasons:
- Existing network connections before installation of freedombox-setup
- Connections configured in /etc/network/interfaces
- Connections manually configured using nmtui
- Connections created using GUI environments such as GNOME
Rather then clearing out /etc/network/interfaces during setup and
expecting the connections not to be created outside of Plinth, setting
the default firewall zone is a better approach. This default zone
selection fits with the main purpose of FreedomBox to be a router which
is also reflected by the fact that only 'external'
- Authentication using client certificates. Extra password based
authentication for later.
- Auto setup of CA, server and client certificates.
- Provides a .ovpn profile for each user for easy setup.
- Use 4096 bit Diffie-Hellman parameters for better security. If this
takes to much time, reduce it to 2048 or 1024, at least during
debugging.
The name 'Plinth' (cfg.product_name) is not used anymore after my previous
commits.
Reason for the complete removal: I do not think that users should know or have
to care about the internal name of the web interface of the FreedomBox.
This is now properly handled by freedombox-setup network scripts. There
is no need to set it up here. Also there is chance they might by
configured wrong.
I faced a situation that on my localhost resolved to an IPv6 address and
Apache was unable to connect to Plinth as Plinth does not yet listen on
IPv6 address. It is best to change this to an explict local IP address
at least until Plinth listens on IPv6 address.
- Enable/disable ntpd from this module. Since ntpd has implications on
anonymity.
- Implement NTP diagonstics from freedombox-setup.
- Eventually provide ability to set date & time of the system.
- Eventually move timezone configuration to this module.
- It does not work on all the modules available.
- It does not reload Plinth after changes.
- As of now, there is not strong case for disabling modules in Plinth
making it unnecessary UI complication.
- Split into multiple small Debian packages is not yet implemented for
Plinth. The module expects to work on the Debian modules. When
smaller Debian packages are available perhaps we should consider using
packages.py library instead.
- There could be multiple applications for the same functions. Although
in the interface we should we show generic names like 'BitTorrent', we
could use specific names in the backend.
- There is already a bittorrent client: Transmission.
- Introduce Apache configuration for plinth.
- Remove Transmission service file for firewalld.
- Enable transmission on install.
- Enable/disable Apache configuration on Transmission on enable/disable.
- Remove IP address whilelisting as 127.0.0.1 is the default setting and
is sufficient for Apache to reverse proxy.
- Update UI URL.
- Change default server directory from plinth/ to /plinth as the program
expects.
- First load the values from configuration file and then override them
with command line parameters.
- Show default values on the command line help.
- Use configuration file values as default values to command line
parameters.
- Log the value of script prefix (server_dir) for easy debugging.
- Make sure the server_dir is properly loaded from configuration files.
- When running in an environment without systemd, the changes are completely
ignored.
- When running under systemd, the patch introduces a systemd native service
file to take advantages of nice feature provided by systemd.
- One of the feature currently taken advantage of is the ability to restart the
service automatically if it ever crashes or exits with error.
- Another feature is that when we wish to kill Plinth all the processes under
the cgroup are killed as well.
- Don't hijack the entire SSL site for sake of Plinth.
- Serve both HTTP and HTTPS sites with default configuration.
- plinth-ssl configuration only make SSL compulsory.
- Document modules required for configuration to work properly.
- Don't disable default site during FreedomBox setup run. This is no
longer required.
- Request Apache to send X-Forwarded-Proto header.
- Use X-Forwarded-Proto header to understand original protocol
requested.
- Use X-Forwarded-Host header to understand original host requested.
- Allow any incoming host header so that FreedomBox can have any
hostname and when user requests for Plint with that hostname, it
works.
- Don't depend on Apache to rewrite the Location: header. Instead use
the original host and original scheme to set proper Location: header.
When Apache proxy forwards a request it usually makes the request to the
backend server with a new Host: header but sends the original host
information using a special header X-FORWARDED-HOST: header. It is a
common practise. The backend can be make the choice of which header to
use based on the knowledge that it is running behind a proxy server.
Since hostname of a FreedomBox machine could be anyting and it could
change during the operation of Plinth, having a list of incoming Host:
header values is not going to be easy in Plinth. If Apache were not to
force override this header, managing list of Host: header values will
become easiler in Plinth. If Plinth indeed wants to know the original
host name by which user refferred to it, it can use the
X-FORWARDED-HOST: header which is the norm in these situtations.
