- Use the excellent Apache module auth_openidc.
- Implement macros that can be easily used to configure OpenID Connect.
Tests:
- Accessing /freedombox/apache/discover-idp/ shows
- 'method' other than 'get' throw a 'bad request' error
- oidc_callback should match host. Otherwise 'bad request' error is raised.
- Mismatched host header is not allowed
- Invalid domain setup is not allowed
- target_link_uri is returned as is
- method is returned as is and only 'get' is allowed.
- x_csrf is returned as is
- oidc_scopes is returned as 'email freedombox_groups'
- HTTP request is answered and not redirected to https
- When logging in with OIDC, authorization is skipped. When authorization is
shown, it is shown as 'Web app protected by FreedomBox'.
- libapache2-mod-auth-openidc is added a dependency for freedombox package. It
is installable in stable, testing, and unstable distributions.
- On applying patches, Apache setup configuration is run and OpenIDC component
is created.
- When patches are applied and setup install is run, auth_openidc module,
10-freedombox, freedombox-openidc config is enabled in Apache.
- When setup is rerun, passphrase is not changed
- metadata directory and parent are created when apache setup is run. Mode is
0o700 and ownership is www-data.
- freedombox-openidc is created when apache setup is run and has 0o700
permissions.
- Metadata directory will contain the client id and client passphrase when
discovery happens for a particular domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- ttrss app's web interface works
- Incorrect password attempts in LDAP login with /tt-rss-app/ get registered by
fail2ban
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.
- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.
- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.
Tests:
- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.
- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.
- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.
- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.
- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.
- All affected modules are loaded.
- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.
- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.
- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This allows disabling syslog daemons.
- Fall back to using file based monitoring for Apache.
Tests performed:
- Before and after the patch, connecting via SSH and typing in incorrect
password leads to a entry in fail2ban.log. 10 incorrect attempts result in a 10
minute ban.
- Before and after the patch, typing in incorrect password for radicale leads to
a entry in fail2ban.log. 10 incorrect attempts result in a 10 minute ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Directory /etc/php/7.4 became available before php7.4-fpm became available.
Handle this by checking the run time socket of the fpm daemon instead of the
directory.
Discussed and tested in
https://discuss.freedombox.org/t/mediawiki-service-unavailable/711/23
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
