From 2fb1d572e17fced4d07599a11dc3b42bddd39fbe Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Mon, 21 Jun 2021 15:56:40 +0200 Subject: [PATCH] Fix --- conf/lstu.conf.ldap | 268 ++++++++++++++++++++++++++++++++++++++++ conf/lstu.conf.template | 16 +-- scripts/install | 18 +-- scripts/upgrade | 29 ----- 4 files changed, 278 insertions(+), 53 deletions(-) create mode 100644 conf/lstu.conf.ldap diff --git a/conf/lstu.conf.ldap b/conf/lstu.conf.ldap new file mode 100644 index 0000000..2aac266 --- /dev/null +++ b/conf/lstu.conf.ldap @@ -0,0 +1,268 @@ +# vim:set sw=4 ts=4 sts=4 ft=perl expandtab: +{ + #################### + # Hypnotoad settings + #################### + # see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings + hypnotoad => { + # array of IP addresses and ports you want to listen to + listen => ['http://127.0.0.1:__PORT__'], + # if you use Lstu behind a reverse proxy like Nginx, you want to set proxy to 1 + # if you use Lstu directly, let it commented + #proxy => 1, + }, + + # put a way to contact you here and uncomment it + # MANDATORY + contact => 'webmaster@__DOMAIN__', + + # array of random strings used to encrypt cookies + # optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT + secrets => ['__SECRET__'], + + # secret passphrase to access some admin features + # If you don't want to have a plain text password in configuration, + # use hashed_adminpwd instead + # optional, but you won't have access to admin /stats if not set and if hashed_adminpwd is not set either + #adminpwd => 's3cr3T', + + # secret hashed passphrase to access some admin features + # Hash your password by issuing `echo -n s3cr3T | sha256sum` on your terminal + # optional, but you won't have access to admin /stats if not set and if adminpwd is not set either + hashed_adminpwd => '__HASHED_PASSWORD__', + + # choose a theme. See the available themes in `themes` directory + # optional, default is 'default' + theme => '__THEME__', # default or milligram + + # number of URLs to be displayed per page in /stats + # optional, default is 10 + page_offset => 10, + + # length of the random URL + # optional, default is 8 + length => 8, + + # how many URLs will be provisioned in a batch ? + # optional, default is 5 + #provis_step => 5, + + # max number of URLs to be provisioned + # optional, default is 100 + #provisioning => 100, + + # URL sub-directory in which you want Lstu to be accessible + # example: you want to have Lstu under https://example.org/lstu/ + # => set prefix to '/lstu' or to '/lstu/', it doesn't matter + # optional, defaut is / + prefix => '__PATH__', + + # array of authorized domains for API calls. + # if you want to authorize everyone to use the API: ['*'] + # optional, no domains allowed by default + #allowed_domains => ['http://1.example.com', 'http://2.example.com'], + + # if set, the shortened URLs will use this domain + # optional + #fixed_domain => 'example.org', + + # choose what database you want to use + # valid choices are sqlite, postgresql and mysql (all lowercase) + # optional, default is sqlite + dbtype => 'postgresql', + + # SQLite ONLY - only used if dbtype is set to sqlite + # define a path to the SQLite database + # you can define it relative to lstu directory or set an absolute path + # remember that it has to be in a directory writable by Lstu user + # optional, default is lstu.db + #db_path => 'lstu.db', + + # PostgreSQL ONLY - only used if dbtype is set to postgresql + # these are the credentials to access the PostgreSQL database + # mandatory if you choosed postgresql as dbtype + pgdb => { + database => '__DB_NAME__', + host => 'localhost', + # optional, default is 5432 + #port => 5432, + user => '__DB_USER__', + pwd => '__DB_PWD__', + # optional, default is 1 + #max_connections => 1, + }, + + # MySQL ONLY - only used if dbtype is set to mysql + # these are the credentials to access the MySQL database + # mandatory if you choosed mysql as dbtype + #mysqldb => { + # database => 'lstu', + # host => 'localhost', + # # optional, default is 3306 + # #port => 3306, + # user => 'DBUSER', + # pwd => 'DBPASSWORD', + # # optional, default is 5 (set to 0 to disable persistent connections) + # #max_connections => 5, + #}, + + # Rate-limiting for the API + # After ban_min_strike requests in a second, the IP address will be + # banned for one hour. + # If it continues to query the API during this ban time at least + # ban_min_strike times, it will be banned for a month. + # optional, default is 3 + ban_min_strike => 3, + + # Ban whitelist + # You can whitelist IP addresses to prevent you from being banned + # Be careful, the IP addresses are compared as string, not as IP addresses + # a network range will not work + # Example of valid input: ban_whitelist => ['198.51.100.42', '2001:0DB8::42'],¬ + # optional, default is an empty array + #ban_whitelist => [], + + # Ban blacklist + # You can blacklist IP addresses to always ban those IP addresses + # Be careful, the IP addresses are compared as string, not as IP addresses + # a network range will not work + # Example of valid input: ban_blacklist => ['198.51.100.42', '2001:0DB8::42'],¬ + # optional, default is an empty array + #ban_blacklist => [], + + # define an URL to the Piwik instance and the ID of a website to track + # set if you want to track views in Piwik + # optional, Piwik tracking is disabled by default + #piwik => { + # url => 'http://piwik.example.com', + # idsite => '1', + #}, + + # use Minion instead of directly increase counters + # need to launch a minion worker service if enabled + # optional, Minion is disabled by default + # It will use the same DB type as Lstu: sqlite if you choose sqlite for `dbtype`, + # postgresql for postgresql, etc. + #minion => { + # enabled => 0, + # # SQLite ONLY - only used if if you choose sqlite as DB type, + # # define the path to the minion database + # # you can define it relative to lstu directory or set an absolute path + # # remember that it has to be in a directory writable by Lutim user + # # optional, default is minion.db + # db_path => 'minion.db', + # # PostgreSQL ONLY - only used if you choose postgresql as DB type + # # these are the credentials to access the Minion's PostgreSQL database + # # mandatory if you choosed postgresql as DB type, no default + # pgdb => { + # database => 'lstu_minion', + # host => 'localhost', + # # optional, default is 5432 + # #port => 5432, + # user => 'DBUSER', + # pwd => 'DBPASSWORD' + # }, + # # MySQL ONLY - only used if you choose mysql as DB type + # # these are the credentials to access the Minion's MySQL database + # # mandatory if you choosed mysql as DB type, no default + # mysqldb => { + # database => 'lstu_minion', + # host => 'localhost', + # # optional, default is 3306 + # #port => 3306, + # user => 'DBUSER', + # pwd => 'DBPASSWORD', + # }, + #}, + + # set `ldap` if you want that only authenticated users can shorten URLs + # please note that everybody can still use shortend URLs + # optional, no default + ldap => { + uri => 'ldap://localhost:389', # server URI + user_tree => 'dc=yunohost,dc=org', # search base DN + bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN + # bind_pwd => '', # search bind password + user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + # user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) + }, + + # set `htpasswd` if you want to use an htpasswd file instead of ldap + # create the file with `htpasswd -c lstu.passwd user`, update it with `htpasswd lstu.passwd user2` + # make sure that lstu can read the file! + # optional, no default + #htpasswd => 'lstu.passwd', + + # if you've set ldap or htpasswd above, the session will last `session_duration` seconds before + # the user needs to reauthenticate + # optional, default is 3600 + #session_duration => 3600, + + # how many redirections are allowed for the shortened URL before considering it as a spam? + # optional, default is 2. Set to -1 to allow infinite redirections (not recommended) + #max_redir => 2, + + # spam blacklist regex. All URLs (or redirection) whose host part matches this regex are considered as spam + # optional, no default + #spam_blacklist_regex => 'foo|bar', + + # spam path blacklist regex. All URLs (or redirection) whose path part matches this regex are considered as spam + # optional, no default + #spam_path_blacklist_regex => 'foo|bar', + + # spam whitelist regex. All URLs (or redirection) whose host part matches this regex will never be considered as spam + # optional, no default + #spam_whitelist_regex => 'foo|bar', + + # set to 1 to skip SpamHaus check (not recommended) + # optional, default is 0 + #skip_spamhaus => 0, + + # put your Google API key to enable Google safebrowsing check + # This will allow Lstu to download the Google safebrowsing database and use a local copy to check the URLs. + # Google does not get the URLs that are checked. + # Instructions to get a key: https://developers.google.com/safe-browsing/v4/get-started + # TL;DR: https://console.developers.google.com/projectselector/apis/library + # optional, no default + #safebrowsing_api_key => '', + + # array of memcached servers to cache URL in order to accelerate responses to often-viewed URL. + # If set to [], the cache is disabled + # optional, default is [] + #memcached_servers => [], + + # Content-Security-Policy header that will be sent by Lstu + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; base-uri 'self'" + # the default value is good for `default` and `milligram` themes + #csp => "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; base-uri 'self'", + + # X-Frame-Options header that will be sent by Lstu + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lstu + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + + # Log creator's IP address + # Set to 1 if you want to register the IP addresses of URL creators + # optional, default is 0 + #log_creator_ip => 0, +}; + diff --git a/conf/lstu.conf.template b/conf/lstu.conf.template index 4a598b1..1020da4 100644 --- a/conf/lstu.conf.template +++ b/conf/lstu.conf.template @@ -178,14 +178,14 @@ # set `ldap` if you want that only authenticated users can shorten URLs # please note that everybody can still use shortend URLs # optional, no default - __IS_PUBLIC__ldap => { - __IS_PUBLIC__ uri => 'ldap://localhost:389', # server URI - __IS_PUBLIC__ user_tree => 'dc=yunohost,dc=org', # search base DN - __IS_PUBLIC__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN - __IS_PUBLIC__# bind_pwd => '', # search bind password - __IS_PUBLIC__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) - __IS_PUBLIC__# user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) - __IS_PUBLIC__}, + #ldap => { + # uri => 'ldap://localhost:389', # server URI + # user_tree => 'dc=yunohost,dc=org', # search base DN + # bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN + # bind_pwd => '', # search bind password + # user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + # user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) + #}, # set `htpasswd` if you want to use an htpasswd file instead of ldap # create the file with `htpasswd -c lstu.passwd user`, update it with `htpasswd lstu.passwd user2` diff --git a/scripts/install b/scripts/install index 3a2061f..cc17ea1 100644 --- a/scripts/install +++ b/scripts/install @@ -122,27 +122,13 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Configuring Lstu..." -config="${final_path}/lstu.conf" -cp ../conf/lstu.conf.template "$config" -ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config" -ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$config" -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config" -ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$config" -ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_user" --target_file="$config" -ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$config" -ynh_replace_string --match_string="__THEME__" --replace_string="$theme" --target_file="$config" -ynh_replace_string --match_string="__HASHED_PASSWORD__" --replace_string="$hashed_password" --target_file="$config" -ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" - if [ $is_public -eq 0 ]; then - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" + ynh_add_config --template="../conf/lstu.conf.ldap" --destination="$final_path/lstu.conf" else - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" + ynh_add_config --template="../conf/lstu.conf.template" --destination="$final_path/lstu.conf" fi -ynh_store_file_checksum --file="$config" - #================================================= # INSTALL LSTU #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index a352e0c..fb2d76d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -158,35 +158,6 @@ ynh_script_progression --message="Upgrading dependencies..." ynh_install_app_dependencies $pkg_dependencies -#================================================= -# SPECIFIC UPGRADE -#================================================= -# UPGRADE LSTU CONFIGURATION -#================================================= -# ynh_script_progression --message="Upgrading lstu configuration..." - -# config="${final_path}/lstu.conf" -# ynh_backup_if_checksum_is_different --file="$config" -# cp ../conf/lstu.conf.template "$config" -# ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config" -# ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$config" -# ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config" -# ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$config" -# ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_user" --target_file="$config" -# ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$config" -# ynh_replace_string --match_string="__THEME__" --replace_string="$theme" --target_file="$config" -# ynh_replace_string --match_string="__HASHED_PASSWORD__" --replace_string="$hashed_password" --target_file="$config" -# ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" - -# if [ $is_public -eq 0 ]; -# then -# ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" -# else -# ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" -# fi - -# ynh_store_file_checksum --file="$config" - #================================================= # BUILD LSU #=================================================