1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/duniter_ynh.git synced 2024-09-03 18:26:35 +02:00

[ref] Protect webadmin, mv BMA and webadmin paths to make the CI happy

\# Protect webadmin

Modify 'main' permission group to protect the webadmin to the admin

Create 'apis' permission publicly accessible to make BMA and WS2P APIs
accessible to whole Internet and set --auth_header=false

\# Nginx misconfiguration

BMA is exposed on port 10901
The webadmin on port 9220
this explains why BMA was not accessible
because it was redirected to the webadmin
Was probably done to solve following problem with the CI

\# Move BMA to /bma and webadmin to root path '/'

Move the WebAdmin from '/webadmin' to '/' root path
Move BMA from '/' to '/bma/' path

In order to have passing access test on the root path with the CI
BMA returns a 502 HTTP error since no synchronization have been performed
therefore there is nothing to be displayed

Cesium and Silkaj support connection to BMA endpoint with a path in

\## TODOs in Duniter v1
There is no synchronization possible to duniter_ynh BMA api,
since Duniter doesn’t support specifying a path to 'sync' command

Can’t define a custom BMAS endpoint with /bma path in
The endpoint doesn’t stay, it seems its overwritten by the fact that when
specifying port 443, BMAS endpoint get created and overwrites this one
ynh_exec_as duniter duniter config --addep "BMAS $domain 443 /bma"
This is not as important as having a correct WS2P endpoint defined
for inter-node connection
Nice to have for BMA endpoint discovery

\# Clean Nginx config
Define once by moving WS, and SSOwat panel support to the common part
Remove /modules path, not really used anymore
Replace 127.0.0.1 by localhost
This commit is contained in:
Moul 2022-05-02 19:23:06 +02:00 committed by M5oul
parent ac91efc755
commit e862b9e7ed
2 changed files with 13 additions and 19 deletions

View file

@ -14,32 +14,22 @@ location / {
proxy_read_timeout 86400s; proxy_read_timeout 86400s;
proxy_send_timeout 86400s; proxy_send_timeout 86400s;
# Include SSOWAT user panel
access_by_lua_file /usr/share/ssowat/access.lua;
location ~ \.(js|css|woff|woff2|ttf|png) { location ~ \.(js|css|woff|woff2|ttf|png) {
proxy_pass http://localhost:9220; proxy_pass http://localhost:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
}
location /webui {
proxy_pass http://localhost:9220/;
access_by_lua_file /usr/share/ssowat/access.lua;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
} }
location ~ /webmin { location ~ /webmin {
proxy_pass http://localhost:9220$uri; proxy_pass http://localhost:9220$uri;
access_by_lua_file /usr/share/ssowat/access.lua;
} }
location ~ /modules { location ~ ^/bma(.*)$ {
proxy_pass http://localhost:9220; proxy_pass http://localhost:__PORT__$1$is_args$args;
access_by_lua_file /usr/share/ssowat/access.lua;
} }
location /ws2p { location /ws2p {
proxy_pass http://127.0.0.1:20901; proxy_pass http://localhost:20901;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
} }
} }

View file

@ -134,8 +134,12 @@ ynh_systemd_action --service_name=$app --action="start" --log_path=systemd
#================================================= #=================================================
ynh_script_progression --message="Configuring permissions…" ynh_script_progression --message="Configuring permissions…"
# Make app public # Change main group to protect sensitive sub-routes (client, API) to Duniter web admin interface, give access to choosen admin
ynh_permission_update --permission="main" --add="visitors" ynh_permission_update --permission "main" --add "$admin" --remove "all_users"
ynh_permission_url --permission "main" --add_url "/webmin"
# Create apis permission group to public to allow BMA and WS2P APIs accessible to visitors
ynh_permission_create --permission "apis" --url "/bma" --additional_urls "/ws2p" --auth_header=false --allowed "visitors"
#================================================= #=================================================
# RELOAD NGINX # RELOAD NGINX