Closes: #2325.
We have recently started allowing all the users to login to FreedomBox console
instead of just the administrators accounts. Remove the message that only
administrators can login.
Tests:
- Run ./setup.py install and then notice that login message got updated in a
vagrant machine.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Currently privileged actions use stdout for returning the results. If any of the
sub-processes accidentally output to stdout, decoding errors occur. Prevent this
by opening a pipe to the privileged action and returning the output in that
pipe.
Tests:
- Run unit tests
- Functional tests for other apps pass
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Redirect with separate identifiers so that they can retrieved separately.
- Enable virtual host log format that include name of the domain accessed so
that that information is preserved.
- There is no need to increment the apache app's version number as it has been
incremented earlier in the patch series (for this release).
Tests:
- In a fresh container, setup succeeds. Default apache sites 000-default.conf
and default-ssl.conf are disabled. freedombox-default.conf is enabled. Apache
access logs and error logs are sent to systemd journal.
- Without the patch applied, create a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s default and
a2query -s 000-default show that sites are not enabled. a2query -s
freedombox-default shows that site is enabled. Apache access logs and error logs
are sent to systemd journal.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is useful mostly for future when we may switch from /plinth to /freedombox.
Tests:
- Accessing /freedombox/app/transmission works. Although redirects generated by
the FreedomBox web service still redirect to /plinth. For example, redirection
after logout and auto-redirection to login page.
- Accessing pages of FreedomBox works as usual on /plinth and /freedombox.
Content-Security-Policy is set.
- Accessing /foo/plinth/app/transmission throws 404.
- Accessing http:// redirects to https:// for /plinth and /freedombox.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.
- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.
- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.
Tests:
- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.
- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2174.
When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.
Tests:
- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.
- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.
- The patch works when tested with .onion and .ONION hosts.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Without the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https happens.
- Without the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
- With the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https does not happen.
- With the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
[sunil: Perform case insensitive match]
[sunil: Remove capture of domain name match]
[sunil: Strictly check that domain ends with .onion]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We have switched to mod_ssl long time ago and are no longer using mod_gnutls.
- It is additional effort configure and test mod_gnutls.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/
- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1
- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Since security app manages fail2ban, it makes sense to set the default
configuration in this app.
Tests performed:
- `./setup.py install` installs the file in the correct place.
- Only 10 incorrect SSH login attempts as noticed in the fail2ban log will
result in ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This allows disabling syslog daemons.
- Fall back to using file based monitoring for Apache.
Tests performed:
- Before and after the patch, connecting via SSH and typing in incorrect
password leads to a entry in fail2ban.log. 10 incorrect attempts result in a 10
minute ban.
- Before and after the patch, typing in incorrect password for radicale leads to
a entry in fail2ban.log. 10 incorrect attempts result in a 10 minute ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests performed:
- Fonts Lato is properly and displayed.
- No <frame>, <iframe>, <video>, <audio>, <track>, <embed>, <object>, <applet>
tags are used in FreedomBox source code.
- Checked that there are no images referring to external URLs. Most of the
common images such as apps lists, system list, networks and manual show images
properly.
- Styles specified in main.css work as well as page specific styles such as in
networks. Firefox developer console shows inline styles loaded.
- JSXC is able to make XHR requests to ejabberd.
- Able to launch <a> links with _target='blank' such as in /help/support/.
- When visiting external websites, such as in donate page, Referer header is not
sent. When visiting page within FreedomBox interface, Referer header is sent
with path.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Installing an empty file in /etc/ that is meant to be modified is an unnecessary
invitation to upgrade issues.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The configuration module defaults to values in the production configuration
file.
- If the file is found, it is read and the read values overwrite the defaults.
If the file is not found, no error is raised. This allows us to not ship the
configuration file. User may create the configuration if they want to change the
defaults. This eases upgrades when configuration is edited. This also make
FreedomBox robust to deployments where /etc/ is not populated by default such as
OSTree. It is also a good practice for daemons as followed by the likes of
systemd.
- If the file partly populated only the values read override the defaults and
the remaining values don't change. This allows the user to write simpler
configuration file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- When there are multiple binary packages, a common practice is to install into
debian/tmp using the Makefile and then use dh_install and .install files. This
splits the contents installed into debian/tmp to various package directories
debian/{package}.
- Install documentation in to /usr/share/freedombox instead of
/usr/share/doc/freedombox. Then create a link to /usr/share/doc/freedombox/.
This approach is recommended Debian Policy Manual in section 12.3[1] because
it should safe for administrator to delete files in /usr/share/doc safely
without breaking the application functionality. The doc-base must refer to the
documentation in /usr/share/doc as per doc-base documentation.
Links
1) https://www.debian.org/doc/debian-policy/ch-docs.html#additional-documentation
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The code was never used by end users.
- The code was expected to be used long back but the plans didn't materialize.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- There is no compelling reason to make the file configurable. Simplifies
configuration file if we make it relative to FreedomBox data directory.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
- SVG is not one of the formats for which compress is turned on automatically by
Apache configuration.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
The changes made to freedombox.conf in moving the apache homepage configuration
to an external file freedombox-apache-homepage.conf will cause a conffile prompt
when upgrading to freedombox 19.2. Reverting changes in freedombox.conf to avoid
this.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
As confirmed by multiple users, Coquelicot is no longer useful for uploading
files, which makes it useless as a file sharing application.
We might enable it in the future if it's actively maintained once again, or find
an alternative.
- Skip functional tests
- Disable modules-enabled file
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Implement listening for CacheUpdated notification.
- Configuration to allow only root to trigger the notification.
- Trigger the notification from an apt update hook.
- Retrieve the list of packages available for upgrade and print them to log.
- Add dependency on libglib2.0-bin for the gdbus command line tool.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Problems with stopping the daemon have been solved.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Depending on which module is enabled, different configuration is used.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't set log level explicitly. Fallback to value set in global Apache
configuration.
- Don't set directory options already set in global configuration.
- Remove /cgi-bin/. Only ikiwiki uses cgi and it is served from a different path
than /usr/lib/cgi-bin.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Merge backports functionality into upgrades module.
- No need to enable systemd timer as dh_installsystemd automatically enables
this during package installation and upgrade.
- Use https:// and deb.debian.org for repository checking. When using Tor for
package installations request the URL via Tor.
- Make daily checking service more generic for all kind of future apt repository
updates.
- Force removal of repository file during purge to avoid failures.
- Don't add contrib/non-free as backports is intended to be enabled for just the
freedombox package and it is free. When the need arises, we can introduce
contrib/non-free. This also eliminates an issue that adding these components
doesn't work without the usage of tor.
- Allow generate apt preferences file to avoid lintian complaining about its
presence. Remove on purge.
- Add unattended upgrades origin pattern to allow it to upgrade from backports
repositories.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Use the X-Forwarded-For header only if specified in the configuration. This
makes FreedomBox safe to use when not behind a reverse proxy server (although
we are unlikely to do this).
- When fetching the IP address to reset after successful login, use the
X-Forwarded-For header only if specified in the configuration.
- Minor flake8 refactorings.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Update description to simply and talk about multiple protocols supported.
- Don't diagnose on IPv6 as mldonkey does not listen there.
- Run yapf and isort.
- Minor styling fixes.
- Update functional tests to check for service running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Easy to configure for separate services.
- Unique names ensure that system administrator FreedomBox configuration files
don't conflict with system administrator created ones.
- Set maximum attempts to 10 globally instead of 5.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Radicale 1 needs to have /radicale/.well-known/*dav to the URLs where as
Radicale 2 needs to have /radicale to be the URLs. Hence have two separate
apache configuration files.
- Use expr= when setting X-REMOTE-USER header to set the authenticated user name
properly. Without this all users are using a single user '(null)' data.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
