From 77adceb0b7a31641120493e54f781ded7cdaa316 Mon Sep 17 00:00:00 2001 From: Moul Date: Mon, 2 May 2022 19:23:06 +0200 Subject: [PATCH] =?UTF-8?q?[ref]=20Protect=20webadmin,=20mv=20BMA=20and=20?= =?UTF-8?q?webadmin=20paths=20to=20make=20the=20CI=C2=A0happy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit \# Protect webadmin Modify 'main' permission group to protect the webadmin to the admin Create 'apis' permission publicly accessible to make BMA and WS2P APIs accessible to whole Internet and set --auth_header=false \# Nginx misconfiguration BMA is exposed on port 10901 The webadmin on port 9220 this explains why BMA was not accessible because it was redirected to the webadmin Was probably done to solve following problem with the CI \# Move BMA to /bma and webadmin to root path '/' Move the WebAdmin from '/webadmin' to '/' root path Move BMA from '/' to '/bma/' path In order to have passing access test on the root path with the CI BMA returns a 502 HTTP error since no synchronization have been performed therefore there is nothing to be displayed Cesium and Silkaj support connection to BMA endpoint with a path in \## TODOs in Duniter v1 There is no synchronization possible to duniter_ynh BMA api, since Duniter doesn’t support specifying a path to 'sync' command Can’t define a custom BMAS endpoint with /bma path in The endpoint doesn’t stay, it seems its overwritten by the fact that when specifying port 443, BMAS endpoint get created and overwrites this one ynh_exec_as duniter duniter config --addep "BMAS $domain 443 /bma" This is not as important as having a correct WS2P endpoint defined for inter-node connection Nice to have for BMA endpoint discovery \# Clean Nginx config Define once by moving WS, and SSOwat panel support to the common part Remove /modules path, not really used anymore Replace 127.0.0.1 by localhost --- conf/nginx.conf | 24 +++++++----------------- scripts/install | 8 ++++++-- 2 files changed, 13 insertions(+), 19 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 7c3e52f..e8aea12 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -14,32 +14,22 @@ location / { proxy_read_timeout 86400s; proxy_send_timeout 86400s; + # Include SSOWAT user panel + access_by_lua_file /usr/share/ssowat/access.lua; + location ~ \.(js|css|woff|woff2|ttf|png) { proxy_pass http://localhost:9220; - access_by_lua_file /usr/share/ssowat/access.lua; - } - - location /webui { - proxy_pass http://localhost:9220/; - access_by_lua_file /usr/share/ssowat/access.lua; - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; } location ~ /webmin { proxy_pass http://localhost:9220$uri; - access_by_lua_file /usr/share/ssowat/access.lua; } - - location ~ /modules { - proxy_pass http://localhost:9220; - access_by_lua_file /usr/share/ssowat/access.lua; + + location ~ ^/bma(.*)$ { + proxy_pass http://localhost:__PORT__$1$is_args$args; } location /ws2p { - proxy_pass http://127.0.0.1:20901; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_pass http://localhost:20901; } } diff --git a/scripts/install b/scripts/install index 1782688..893cac7 100644 --- a/scripts/install +++ b/scripts/install @@ -134,8 +134,12 @@ ynh_systemd_action --service_name=$app --action="start" --log_path=systemd #================================================= ynh_script_progression --message="Configuring permissions…" -# Make app public -ynh_permission_update --permission="main" --add="visitors" +# Change main group to protect sensitive sub-routes (client, API) to Duniter web admin interface, give access to choosen admin +ynh_permission_update --permission "main" --add "$admin" --remove "all_users" +ynh_permission_url --permission "main" --add_url "/webmin" + +# Create apis permission group to public to allow BMA and WS2P APIs accessible to visitors +ynh_permission_create --permission "apis" --url "/bma" --additional_urls "/ws2p" --auth_header=false --allowed "visitors" #================================================= # RELOAD NGINX