mirror of
https://github.com/YunoHost-Apps/duniter_ynh.git
synced 2024-09-03 18:26:35 +02:00
[ref] Protect webadmin, mv BMA and webadmin paths to make the CI happy
\# Protect webadmin Modify 'main' permission group to protect the webadmin to the admin Create 'apis' permission publicly accessible to make BMA and WS2P APIs accessible to whole Internet and set --auth_header=false \# Nginx misconfiguration BMA is exposed on port 10901 The webadmin on port 9220 this explains why BMA was not accessible because it was redirected to the webadmin Was probably done to solve following problem with the CI \# Move BMA to /bma and webadmin to root path '/' Move the WebAdmin from '/webadmin' to '/' root path Move BMA from '/' to '/bma/' path In order to have passing access test on the root path with the CI BMA returns a 502 HTTP error since no synchronization have been performed therefore there is nothing to be displayed Cesium and Silkaj support connection to BMA endpoint with a path in \## TODOs in Duniter v1 There is no synchronization possible to duniter_ynh BMA api, since Duniter doesn’t support specifying a path to 'sync' command Can’t define a custom BMAS endpoint with /bma path in The endpoint doesn’t stay, it seems its overwritten by the fact that when specifying port 443, BMAS endpoint get created and overwrites this one ynh_exec_as duniter duniter config --addep "BMAS $domain 443 /bma" This is not as important as having a correct WS2P endpoint defined for inter-node connection Nice to have for BMA endpoint discovery \# Clean Nginx config Define once by moving WS, and SSOwat panel support to the common part Remove /modules path, not really used anymore Replace 127.0.0.1 by localhost
This commit is contained in:
parent
ac91efc755
commit
e862b9e7ed
2 changed files with 13 additions and 19 deletions
|
@ -14,32 +14,22 @@ location / {
|
||||||
proxy_read_timeout 86400s;
|
proxy_read_timeout 86400s;
|
||||||
proxy_send_timeout 86400s;
|
proxy_send_timeout 86400s;
|
||||||
|
|
||||||
|
# Include SSOWAT user panel
|
||||||
|
access_by_lua_file /usr/share/ssowat/access.lua;
|
||||||
|
|
||||||
location ~ \.(js|css|woff|woff2|ttf|png) {
|
location ~ \.(js|css|woff|woff2|ttf|png) {
|
||||||
proxy_pass http://localhost:9220;
|
proxy_pass http://localhost:9220;
|
||||||
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /webui {
|
|
||||||
proxy_pass http://localhost:9220/;
|
|
||||||
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
||||||
# Include SSOWAT user panel.
|
|
||||||
include conf.d/yunohost_panel.conf.inc;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /webmin {
|
location ~ /webmin {
|
||||||
proxy_pass http://localhost:9220$uri;
|
proxy_pass http://localhost:9220$uri;
|
||||||
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /modules {
|
location ~ ^/bma(.*)$ {
|
||||||
proxy_pass http://localhost:9220;
|
proxy_pass http://localhost:__PORT__$1$is_args$args;
|
||||||
access_by_lua_file /usr/share/ssowat/access.lua;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location /ws2p {
|
location /ws2p {
|
||||||
proxy_pass http://127.0.0.1:20901;
|
proxy_pass http://localhost:20901;
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -134,8 +134,12 @@ ynh_systemd_action --service_name=$app --action="start" --log_path=systemd
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Configuring permissions…"
|
ynh_script_progression --message="Configuring permissions…"
|
||||||
|
|
||||||
# Make app public
|
# Change main group to protect sensitive sub-routes (client, API) to Duniter web admin interface, give access to choosen admin
|
||||||
ynh_permission_update --permission="main" --add="visitors"
|
ynh_permission_update --permission "main" --add "$admin" --remove "all_users"
|
||||||
|
ynh_permission_url --permission "main" --add_url "/webmin"
|
||||||
|
|
||||||
|
# Create apis permission group to public to allow BMA and WS2P APIs accessible to visitors
|
||||||
|
ynh_permission_create --permission "apis" --url "/bma" --additional_urls "/ws2p" --auth_header=false --allowed "visitors"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# RELOAD NGINX
|
# RELOAD NGINX
|
||||||
|
|
Loading…
Reference in a new issue