diff --git a/conf/nginx.conf b/conf/nginx.conf index 7024722..c1ce589 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,6 +1,10 @@ location PATHTOCHANGE { alias ALIASTOCHANGE; +# auth_basic "Reason for being private"; +# auth_basic_user_file /path/to/htpasswd; + + if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } diff --git a/manifest.json b/manifest.json index c122aec..147ab08 100644 --- a/manifest.json +++ b/manifest.json @@ -68,7 +68,38 @@ }, "choices": ["Yes", "No"], "default": "Yes" + }, + { + "name": "basicauthcreate", + "ask": { + "en": "Create a basic auth access ? This is required if the app is public so that ereaders to access the OPDS server, for example", + "fr": "Créer un accès par authentification basique ? Ceci est requis si votre bibliothèque est publique et vous voulez accéder au serveur OPDS avec votre liseuse ou application mobile" + }, + "choices": ["Yes", "No"], + "default": "Yes" + }, + { + "name": "basciauthuser", + "type": "user", + "ask": { + "en": "Choose the username to access the OPDS/HTML server (unrelated to YunoHost users)", + "fr": "Indiquez le nom d'utilisateur pour accéder au serveur OPDS/HTML (non lié utilisateurs YunoHost)", + }, + "example": "Gutenberg", + "default": "Gutenberg" + + }, + { + "name": "basicauthpass", + "type": "password", + "ask": { + "en": "Choose the password to access the OPDS/HTML server", + "fr": "Renseignez le mot de passe pour accéder au serveur OPDS/HTML" + }, + "example": "knowledge is power", + "default": "knowledge is power" } + ] } } diff --git a/scripts/install b/scripts/install index b6d40e3..65e0370 100755 --- a/scripts/install +++ b/scripts/install @@ -17,6 +17,9 @@ path=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC runninguser=$YNH_APP_ARG_RUNNINGUSER calibrepath=$YNH_APP_ARG_CALIBREPATH +basicauthcreate=$YNH_APP_ARG_BASICAUTHCREATE +basicauthuser=$YNH_APP_ARG_BASICAUTHUSER +basicauthpass=$YNH_APP_ARG_BASICAUTHPASS # We check variables are not empty CHECK_VAR "$app" "app name not set" @@ -55,11 +58,36 @@ sudo mkdir -p $final_path sudo cp ../conf/config_local.php ../sources/ sed -i "s@CALIBRETOCHANGE@$calibrepath@g" ../sources/config_local.php +# To be done : make it an if loop + +# Add basic auth if requested +if [ "$basicauthcreate" = "Yes" ]; +then + ynh_app_setting_set "$app" basicauthcreate "$basicauthcreate" + ynh_app_setting_set "$app" basicauthuser "$basicauthuser" + ynh_app_setting_set "$app" basicauthpass "$basicauthpass" + + # Generation of the htpasswd file according https://www.nginx.com/resources/wiki/community/faq/ + SALT="$(openssl rand -base64 3)" + (SHA1=$(printf "$basicauthpass$SALT" | + openssl dgst -binary -sha1 | xxd -ps | + sed 's#$#'"`echo -n $SALT | xxd -ps`"'#' | + xxd -r -ps | + base64);printf "$basicauthuser:{SSHA}$SHA1\n" >> ../sources/htpasswd) + + # Modif nginx + sed -i "s|^.*\bauth_basic\b.*$| auth_basic "Private Library";|" ../conf/nginx.conf; + sed -i "s|^.*\bauth_basic_user_file\b.*$| auth_basic_user_file $final_path/htpasswd;|" ../conf/nginx.conf; +else + echo "No basic auth"; +fi + # Base site sudo cp -a ../sources/* $final_path/ # Set permissions sudo chmod 775 -R $final_path +sudo chmod 600 $final_path/htpasswd sudo chown -hR $runninguser:$runninguser $final_path # Modify Nginx configuration file and copy it to Nginx conf directory @@ -84,6 +112,7 @@ then ynh_app_setting_set $app skipped_uris "/" fi + # Reload Nginx and regenerate SSOwat conf sudo service php5-fpm reload sudo service nginx reload diff --git a/scripts/restore b/scripts/restore index a6677ac..6556281 100755 --- a/scripts/restore +++ b/scripts/restore @@ -21,6 +21,7 @@ is_public=$(ynh_app_setting_get $app is_public) finalnginxconf=$(ynh_app_setting_get $app finalnginxconf) finalphpconf=$(ynh_app_setting_get $app finalphpconf) runninguser=$(ynh_app_setting_get $app runninguser) +basicauthcreate=$(ynh_app_setting_get $app basicauthcreate) # Check domain/path availability #sudo yunohost app checkurl "${domain}${path}" -a "$app" \ @@ -36,6 +37,14 @@ sudo cp -a ./sources/* $final_path/ # Restore permissions to app files # you may need to make some file and/or directory writeable by www-data (nginx user) sudo chown -R $runninguser:$runninguser $final_path +if [ "$basicauthcreate" = "Yes" ]; +then + sudo chmod 600 $final_path/htpasswd +else + echo "Nothing to do" +fi + + ### MySQL (remove if not used) ### # If a MySQL database is used: diff --git a/scripts/upgrade b/scripts/upgrade index cc30cea..f7a26e2 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -24,7 +24,28 @@ finalnginxconf=$(ynh_app_setting_get $app finalnginxconf) finalphpconf=$(ynh_app_setting_get $app finalphpconf) runninguser=$(ynh_app_setting_get $app runninguser) calibrepath=$(ynh_app_setting_get $app calibrepath) +basicauthcreate=$(ynh_app_setting_get $app basicauthcreate) +# Add basic auth if requested +if [ "$basicauthcreate" = "Yes" ]; +then + basicauthuser=$(ynh_app_setting_get $app basicauthuser) + basicauthpass=$(ynh_app_setting_get $app basicauthpass) + + # Generation of the htpasswd file according https://www.nginx.com/resources/wiki/community/faq/ + SALT="$(openssl rand -base64 3)" + (SHA1=$(printf "$basicauthpass$SALT" | + openssl dgst -binary -sha1 | xxd -ps | + sed 's#$#'"`echo -n $SALT | xxd -ps`"'#' | + xxd -r -ps | + base64);printf "$basicauthuser:{SSHA}$SHA1\n" >> ../sources/htpasswd) + + # Modif nginx + sed -i "s|^.*\bauth_basic\b.*$| auth_basic "Private Library";|" ../conf/nginx.conf; + sed -i "s|^.*\bauth_basic_user_file\b.*$| auth_basic_user_file $final_path/htpasswd;|" ../conf/nginx.conf; +else + echo "No basic auth"; +fi # We install dependencies @@ -58,6 +79,14 @@ sudo cp -a ../sources/* $final_path/ # We adjust permissions sudo chmod 775 -R $final_path + +if [ "$basicauthcreate" = "Yes" ]; +then + sudo chmod 600 $final_path/htpasswd +else + echo "Nothing to do" +fi + sudo chown -hR $runninguser:$runninguser $final_path