From ac1e353dc2756d864032b53e5651cd818360abe0 Mon Sep 17 00:00:00 2001 From: magikcypress Date: Sun, 16 Apr 2017 22:17:13 +0200 Subject: [PATCH 01/10] [fix] add secure rm --- scripts/_common | 5 +++++ scripts/remove | 5 +++-- scripts/upgrade | 16 +++++++++++++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/scripts/_common b/scripts/_common index 54a66f2..8ecb4ad 100644 --- a/scripts/_common +++ b/scripts/_common @@ -15,3 +15,8 @@ extract_source() { || ynh_die "Unable to extract source tarball" sudo rm "$rc_tarball" } + +ynh_secure_rm () { + [[ "/var/www /opt /home/yunohost.app" =~ $1 ]] \ + || (test -n "$1" && sudo rm -Rf $1 ) +} \ No newline at end of file diff --git a/scripts/remove b/scripts/remove index 368aa72..fcc1afb 100644 --- a/scripts/remove +++ b/scripts/remove @@ -5,6 +5,7 @@ set -u # Source app helpers source /usr/share/yunohost/helpers +source ./_common # Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME @@ -12,7 +13,7 @@ app=$YNH_APP_INSTANCE_NAME # Retrieve arguments domain=$(ynh_app_setting_get "$app" domain) -sudo rm -rf /var/www/$app -sudo rm -f /etc/nginx/conf.d/$domain.d/$app.conf +ynh_secure_rm /var/www/$app +ynh_secure_rm /etc/nginx/conf.d/$domain.d/$app.conf sudo systemctl reload nginx \ No newline at end of file diff --git a/scripts/upgrade b/scripts/upgrade index beb608d..2e06946 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -23,7 +23,21 @@ final_path=/var/www/$app sudo mkdir -p $final_path # Clean all files and directory except the data directory -sudo rm -rf $final_path/{cfg,CREDITS.md,i18n,index.php,js,README.md,tmp,CHANGELOG.md,css,favicon.ico,img,INSTALL.md,lib,robots.txt,tpl} +ynh_secure_rm $final_path/cfg +ynh_secure_rm $final_path/CREDITS.md +ynh_secure_rm $final_path/i18n +ynh_secure_rm $final_path/index.php +ynh_secure_rm $final_path/js +ynh_secure_rm $final_path/README.md +ynh_secure_rm $final_path/tmp +ynh_secure_rm $final_path/CHANGELOG.md +ynh_secure_rm $final_path/css +ynh_secure_rm $final_path/favicon.ico +ynh_secure_rm $final_path/img +ynh_secure_rm $final_path/INSTALL.md +ynh_secure_rm $final_path/lib +ynh_secure_rm $final_path/robots.txt +ynh_secure_rm $final_path/tpl # Copy files to the right place extract_source $final_path From b1c9f238bff4548f662c1d11d30dce7397fd8d6a Mon Sep 17 00:00:00 2001 From: magikcypress Date: Sun, 16 Apr 2017 23:57:23 +0200 Subject: [PATCH 02/10] [fix] Add php-fpm issue #17 --- conf/php-fpm.conf | 392 ++++++++++++++++++++++++++++++++++++++++++++++ conf/php-fpm.ini | 3 + scripts/_common | 24 +++ scripts/backup | 3 + scripts/install | 3 + scripts/remove | 1 + scripts/restore | 12 ++ scripts/upgrade | 4 + 8 files changed, 442 insertions(+) create mode 100644 conf/php-fpm.conf create mode 100644 conf/php-fpm.ini diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf new file mode 100644 index 0000000..5672f10 --- /dev/null +++ b/conf/php-fpm.conf @@ -0,0 +1,392 @@ +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[__NAMETOCHANGE__] + +; Per pool prefix +; It only applies on the following directives: +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses on a +; specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /var/run/php5-fpm-__NAMETOCHANGE__.sock + +; Set listen(2) backlog. +; Default Value: 128 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 128 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 + +; List of ipv4 addresses of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; priority = -19 + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 10 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 2 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: ${prefix}/share/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: ouput header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +slowlog = /var/log/nginx/__NAMETOCHANGE__.slow.log + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +request_slowlog_timeout = 5s + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +request_terminate_timeout = 1d + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +chdir = __FINALPATH__ + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +catch_workers_output = yes + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; exectute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M \ No newline at end of file diff --git a/conf/php-fpm.ini b/conf/php-fpm.ini new file mode 100644 index 0000000..55e2ba7 --- /dev/null +++ b/conf/php-fpm.ini @@ -0,0 +1,3 @@ +upload_max_filesize=30M +post_max_size=30M +; max_execution_time=60 \ No newline at end of file diff --git a/scripts/_common b/scripts/_common index 8ecb4ad..ea07601 100644 --- a/scripts/_common +++ b/scripts/_common @@ -16,6 +16,30 @@ extract_source() { sudo rm "$rc_tarball" } +ynh_pool_fpm () { # Create the php-fpm pool configuration file and configure it. + sed -i "s@__NAMETOCHANGE__@$app@g" ../conf/php-fpm.conf + sed -i "s@__FINALPATH__@$final_path@g" ../conf/php-fpm.conf + finalphpconf=/etc/php5/fpm/pool.d/$app.conf + sudo cp ../conf/php-fpm.conf $finalphpconf + sudo chown root: $finalphpconf + finalphpini=/etc/php5/fpm/conf.d/20-$app.ini + sudo cp ../conf/php-fpm.ini $finalphpini + sudo chown root: $finalphpini + sudo systemctl reload php5-fpm +} + +ynh_remove_fpm () { # Delete pool php-fpm configuration + if [ -e "/etc/php5/fpm/pool.d/$app.conf" ]; then # Delete fpm config + echo "Delete fpm config" + sudo rm "/etc/php5/fpm/pool.d/$app.conf" + fi + if [ -e "/etc/php5/fpm/conf.d/20-$app.ini" ]; then # Delete php config + echo "Delete php config" + sudo rm "/etc/php5/fpm/conf.d/20-$app.ini" + fi + sudo systemctl reload php5-fpm +} + ynh_secure_rm () { [[ "/var/www /opt /home/yunohost.app" =~ $1 ]] \ || (test -n "$1" && sudo rm -Rf $1 ) diff --git a/scripts/backup b/scripts/backup index f8332ec..44e5f23 100644 --- a/scripts/backup +++ b/scripts/backup @@ -31,3 +31,6 @@ ynh_backup "/var/www/${app}" "sources" # Copy Nginx conf sudo mkdir -p ./conf ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf" "conf/nginx.conf" +# Copy the php-fpm conf files +ynh_backup "/etc/php5/fpm/pool.d/${app}.conf" "php-fpm.conf" +ynh_backup "/etc/php5/fpm/conf.d/20-${app}.ini" "php-fpm.ini" \ No newline at end of file diff --git a/scripts/install b/scripts/install index 8ecdf80..623d714 100644 --- a/scripts/install +++ b/scripts/install @@ -45,6 +45,9 @@ sudo cp ../conf/nginx.conf $nginxconf sudo chown root: $nginxconf sudo chmod 600 $nginxconf +# Create the php-fpm pool config +ynh_pool_fpm + # Set ssowat config if [ "$is_public" = "No" ]; then diff --git a/scripts/remove b/scripts/remove index fcc1afb..d4c3b66 100644 --- a/scripts/remove +++ b/scripts/remove @@ -15,5 +15,6 @@ domain=$(ynh_app_setting_get "$app" domain) ynh_secure_rm /var/www/$app ynh_secure_rm /etc/nginx/conf.d/$domain.d/$app.conf +ynh_remove_fpm sudo systemctl reload nginx \ No newline at end of file diff --git a/scripts/restore b/scripts/restore index dcc803f..6a981a9 100644 --- a/scripts/restore +++ b/scripts/restore @@ -40,6 +40,18 @@ if [ -f $nginx_conf ]; then ynh_die "The NGINX configuration already exists at '${nginx_conf}'. You should safely delete it before restoring this app." fi +# Check configuration files php-fpm +phpfpm_conf="/etc/php5/fpm/pool.d/php-fpm-${app}.conf" +if [ -f $phpfpm_conf ]; then + ynh_die "The PHP FPM configuration already exists at '${phpfpm_conf}'. + You should safely delete it before restoring this app." +fi + +phpfpm_ini="/etc/php5/fpm/conf.d/20-${app}.ini" +if [ -f $phpfpm_ini ]; then + ynh_die "The PHP FPM INI configuration already exists at '${phpfpm_ini}'. + You should safely delete it before restoring this app." +fi # Restore sources & data sudo cp -a "./sources" $final_path diff --git a/scripts/upgrade b/scripts/upgrade index 2e06946..8dea6b4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -38,6 +38,7 @@ ynh_secure_rm $final_path/INSTALL.md ynh_secure_rm $final_path/lib ynh_secure_rm $final_path/robots.txt ynh_secure_rm $final_path/tpl +ynh_secure_rm $final_path/data # Copy files to the right place extract_source $final_path @@ -60,6 +61,9 @@ sudo cp ../conf/nginx.conf $nginxconf sudo chown root: $nginxconf sudo chmod 600 $nginxconf +# Create the php-fpm pool config +ynh_pool_fpm + # Set ssowat config ynh_app_setting_set "$app" is_public "$is_public" if [ "$is_public" = "Yes" ]; From 92717d19fa8aa2e9d757e5a419a6fae25360cffe Mon Sep 17 00:00:00 2001 From: magikcypress Date: Mon, 17 Apr 2017 00:13:04 +0200 Subject: [PATCH 03/10] Update README --- README.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1e6a149..9d2534c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,53 @@ -# zerobin_ynh -Zerobin for Yunohost +# Zerobin for Yunohost -Actually installs PrivateBin (https://privatebin.info), a much more maintained fork +## Zerobin c'est quoi ? + +PrivateBin est un pastebin en ligne open source minimaliste où le serveur n'a aucune connaissance des données collées. + +Les données sont chiffrées / déchiffrées dans le navigateur à l'aide de 256bit AES en mode Galois Counter. + +C'est un fork de ZeroBin, développée à l'origine par Sébastien Sauvage. Il a été recodé pour permettre des extensions plus faciles et plus propres et a maintenant beaucoup plus de fonctionnalités que l'original. Cependant, il est encore entièrement compatible avec le système de stockage de données original ZeroBin 0.19. Par conséquent, de telles installations peuvent être mises à niveau vers ce fork sans perdre de données. + +Source: [privatebin.info](https://privatebin.info) + +### Installation + +`$ sudo yunohost app install zerobin` + +### Mise à jour + +`$ sudo yunohost app upgrade --verbose zerobin -u https://github.com/YunoHost-Apps/zerobin_ynh.git` + +### Recommendation + +Dans la [documentation de mise à jour](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility) de Parsebin, il est précisé que : + +> Pour une compatibilité totale avec ZeroBin et pour pouvoir décrypter les anciennes données, vous autoriseriez cette option. Cependant, cela n'est pas recommandé pour les nouvelles installations car cela affaiblit la sécurité de votre instance PrivateBin. + +Ce qui veut dire que nous avons pris le parti de supprimer le répertoire qui permet de sauvegarder les données. Vous pouvez sauvegarder le répertoire 'data', si vous souhaitez concerver vos données. Mais vous devez savoir que celà affaibli la sécurité de cette application. + +## What is PrivateBin? + +PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. + +Data is encrypted/decrypted in the browser using 256bit AES in Galois Counter mode. + +This is a fork of ZeroBin, originally developed by Sébastien Sauvage. It was refactored to allow easier and cleaner extensions and has now much more features than the original. It is however still fully compatible to the original ZeroBin 0.19 data storage scheme. Therefore such installations can be upgraded to this fork without loosing any data. + +Source: [privatebin.info](https://privatebin.info) + +### Install + +`$ sudo yunohost app install zerobin` + +### Update + +`$ sudo yunohost app upgrade --verbose zerobin -u https://github.com/YunoHost-Apps/zerobin_ynh.git` + +### Recommandation + +In the [update documentation] (https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility) of Parsebin, it is specified that: + +For full compatibility with ZeroBin and to be able to decrypt old pastes, you would enable this option. However this is not recommend for new installations as it weakens the security of your PrivateBin instance. + +This means that we have decided to delete the directory that allows us to save the data. You can save the 'data' directory, if you want to keep your data. But you should know that this weakens the security of this application. \ No newline at end of file From 3f81447f36c5442fba6e883769d8fa64edfa67dd Mon Sep 17 00:00:00 2001 From: magikcypress Date: Mon, 17 Apr 2017 18:20:58 +0200 Subject: [PATCH 04/10] [fix] Create user for this app + add helpers into common --- conf/php-fpm.conf | 4 +- scripts/_common | 143 +++++++++++++++++++++++++++++++++++++++------- scripts/install | 14 +++-- scripts/remove | 10 ++-- scripts/upgrade | 45 ++++++++------- 5 files changed, 163 insertions(+), 53 deletions(-) diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 5672f10..7bad39e 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -19,8 +19,8 @@ ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = www-data -group = www-data +user = __USER__ +group = __USER__ ; The address on which to accept FastCGI requests. ; Valid syntaxes are: diff --git a/scripts/_common b/scripts/_common index ea07601..5753486 100644 --- a/scripts/_common +++ b/scripts/_common @@ -2,6 +2,26 @@ PRIVATEBIN_VERSION="1.1" PRIVATEBIN_SOURCE_URL="https://github.com/PrivateBin/PrivateBin/archive/${PRIVATEBIN_VERSION}.tar.gz" PRIVATEBIN_SOURCE_SHA256="61d18753c792d83f54ad9e414d1d32198ab873054907081e732effd5ccbe96ef" +# Substitute a string by another in a file +# +# usage: ynh_substitute_char string_to_find replace_string file_to_analyse +# | arg: string_to_find - String to replace in the file +# | arg: replace_string - New string that will replace +# | arg: file_to_analyse - File where the string will be replaced. +ynh_substitute_char () { + delimit=@ + match_char=${1//${delimit}/"\\${delimit}"} # Escape the delimiter if it's in the string. + replace_char=${2//${delimit}/"\\${delimit}"} + workfile=$3 + + sudo sed --in-place "s${delimit}${match_char}${delimit}${replace_char}${delimit}g" "$workfile" +} + +ynh_store_checksum_config () { + config_file_checksum=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' + ynh_app_setting_set $app $config_file_checksum $(sudo md5sum "$1" | cut -d' ' -f1) +} + extract_source() { local DESTDIR=$1 @@ -16,31 +36,112 @@ extract_source() { sudo rm "$rc_tarball" } -ynh_pool_fpm () { # Create the php-fpm pool configuration file and configure it. - sed -i "s@__NAMETOCHANGE__@$app@g" ../conf/php-fpm.conf - sed -i "s@__FINALPATH__@$final_path@g" ../conf/php-fpm.conf - finalphpconf=/etc/php5/fpm/pool.d/$app.conf - sudo cp ../conf/php-fpm.conf $finalphpconf - sudo chown root: $finalphpconf - finalphpini=/etc/php5/fpm/conf.d/20-$app.ini - sudo cp ../conf/php-fpm.ini $finalphpini - sudo chown root: $finalphpini +ynh_fpm_config () { + finalphpconf="/etc/php5/fpm/pool.d/$app.conf" + ynh_compare_checksum_config "$finalphpconf" 1 + sudo cp ../conf/php-fpm.conf "$finalphpconf" + ynh_substitute_char "__NAMETOCHANGE__" "$app" "$finalphpconf" + ynh_substitute_char "__FINALPATH__" "$final_path" "$finalphpconf" + ynh_substitute_char "__USER__" "$app" "$finalphpconf" + sudo chown root: "$finalphpconf" + ynh_store_checksum_config "$finalphpconf" + + if [ -e "../conf/php-fpm.ini" ] + then + finalphpini="/etc/php5/fpm/conf.d/20-$app.ini" + ynh_compare_checksum_config "$finalphpini" 1 + sudo cp ../conf/php-fpm.ini "$finalphpini" + sudo chown root: "$finalphpini" + ynh_store_checksum_config "$finalphpini" + fi + sudo systemctl reload php5-fpm } -ynh_remove_fpm () { # Delete pool php-fpm configuration - if [ -e "/etc/php5/fpm/pool.d/$app.conf" ]; then # Delete fpm config - echo "Delete fpm config" - sudo rm "/etc/php5/fpm/pool.d/$app.conf" - fi - if [ -e "/etc/php5/fpm/conf.d/20-$app.ini" ]; then # Delete php config - echo "Delete php config" - sudo rm "/etc/php5/fpm/conf.d/20-$app.ini" - fi +ynh_remove_fpm_config () { + ynh_secure_remove "/etc/php5/fpm/pool.d/$app.conf" + ynh_secure_remove "/etc/php5/fpm/conf.d/20-$app.ini" sudo systemctl reload php5-fpm } -ynh_secure_rm () { - [[ "/var/www /opt /home/yunohost.app" =~ $1 ]] \ - || (test -n "$1" && sudo rm -Rf $1 ) +# Remove a file or a directory securely +# +# usage: ynh_secure_remove path_to_remove +# | arg: path_to_remove - File or directory to remove +ynh_secure_remove () { + path_to_remove=$1 + forbidden_path=" \ + /var/www \ + /home/yunohost.app" + + if [[ "$forbidden_path" =~ "$path_to_remove" \ + # Match all path or subpath in $forbidden_path + || "$path_to_remove" =~ ^/[[:alnum:]]+$ \ + # Match all first level path from / (Like /var, /root, etc...) + || "${path_to_remove:${#path_to_remove}-1}" = "/" ]] + # Match if the path finish by /. Because it's seems there is an empty variable + then + echo "Avoid deleting of $path_to_remove." >&2 + else + if [ -e "$path_to_remove" ] + then + sudo rm -R "$path_to_remove" + else + echo "$path_to_remove doesn't deleted because it's not exist." >&2 + fi + fi +} + +# Create a system user +# +# usage: ynh_system_user_create user_name [home_dir] +# | arg: user_name - Name of the system user that will be create +# | arg: home_dir - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home +ynh_system_user_create () { + if ! ynh_system_user_exists "$1" # Check if the user exists on the system + then # If the user doesn't exist + if [ $# -ge 2 ]; then # If a home dir is mentioned + user_home_dir="-d $2" + else + user_home_dir="--no-create-home" + fi + sudo useradd $user_home_dir --system --user-group $1 --shell /usr/sbin/nologin || ynh_die "Unable to create $1 system account" + fi +} + +# Delete a system user +# +# usage: ynh_system_user_delete user_name +# | arg: user_name - Name of the system user that will be create +ynh_system_user_delete () { + if ynh_system_user_exists "$1" # Check if the user exists on the system + then + echo "Remove the user $1" >&2 + sudo userdel $1 + else + echo "The user $1 was not found" >&2 + fi +} + +ynh_compare_checksum_config () { + current_config_file=$1 + compress_backup=${2:-0} # If $2 is empty, compress_backup will set at 0 + config_file_checksum=checksum_${current_config_file//[\/ ]/_} # Replace all '/' and ' ' by '_' + checksum_value=$(ynh_app_setting_get $app $config_file_checksum) + if [ -n "$checksum_value" ] + then # Proceed only if a value was stocked into the app config + if ! echo "$checksum_value $current_config_file" | md5sum -c --status + then # If the checksum is now different + backup_config_file="$current_config_file.backup.$(date '+%d.%m.%y_%Hh%M,%Ss')" + if [ compress_backup -eq 1 ] + then + sudo tar --create --gzip --file "$backup_config_file.tar.gz" "$current_config_file" # Backup the current config file and compress + backup_config_file="$backup_config_file.tar.gz" + else + sudo cp -a "$current_config_file" "$backup_config_file" # Backup the current config file + fi + echo "Config file $current_config_file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_config_file" >&2 + echo "$backup_config_file" # Return the name of the backup file + fi + fi } \ No newline at end of file diff --git a/scripts/install b/scripts/install index 623d714..edba86f 100644 --- a/scripts/install +++ b/scripts/install @@ -3,8 +3,9 @@ # Exit on command errors and treat unset variables as an error set -eu -source /usr/share/yunohost/helpers +# Source app helpers source ./_common +source /usr/share/yunohost/helpers # Retrieve arguments domain=$YNH_APP_ARG_DOMAIN @@ -27,14 +28,17 @@ final_path=/var/www/$app sudo mkdir -p $final_path extract_source $final_path -# Files owned by root, www-data can just read +# Create system user dedicace for this app +ynh_system_user_create $app + +# Files owned by user specific can just read sudo find $final_path -type f | xargs sudo chmod 644 sudo find $final_path -type d | xargs sudo chmod 755 -sudo chown -R root: $final_path +sudo chown -R $app: $final_path # except for data and tmp subdir, where www-data must have write permissions sudo mkdir -p $final_path/{data,tmp} -sudo chown -R www-data:root $final_path/{data,tmp} +sudo chown -R $app:root $final_path/{data,tmp} sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory @@ -46,7 +50,7 @@ sudo chown root: $nginxconf sudo chmod 600 $nginxconf # Create the php-fpm pool config -ynh_pool_fpm +ynh_fpm_config # Set ssowat config if [ "$is_public" = "No" ]; diff --git a/scripts/remove b/scripts/remove index d4c3b66..e4fcab5 100644 --- a/scripts/remove +++ b/scripts/remove @@ -4,8 +4,8 @@ set -u # Source app helpers -source /usr/share/yunohost/helpers source ./_common +source /usr/share/yunohost/helpers # Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME @@ -13,8 +13,10 @@ app=$YNH_APP_INSTANCE_NAME # Retrieve arguments domain=$(ynh_app_setting_get "$app" domain) -ynh_secure_rm /var/www/$app -ynh_secure_rm /etc/nginx/conf.d/$domain.d/$app.conf -ynh_remove_fpm +ynh_secure_remove /var/www/$app +ynh_secure_remove /etc/nginx/conf.d/$domain.d/$app.conf +ynh_remove_fpm_config + +ynh_system_user_delete $app sudo systemctl reload nginx \ No newline at end of file diff --git a/scripts/upgrade b/scripts/upgrade index 8dea6b4..3e3286e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -2,9 +2,9 @@ # Exit on command errors and treat unset variables as an error set -eu - -source /usr/share/yunohost/helpers +# Source app helpers source ./_common +source /usr/share/yunohost/helpers app=$YNH_APP_INSTANCE_NAME @@ -18,27 +18,30 @@ if [[ ! "$path" == "/" ]]; then path=${path%/} fi +# Create system user dedicace for this app +ynh_system_user_create $app + # Init final_path, if ever it got deleted somehow final_path=/var/www/$app sudo mkdir -p $final_path # Clean all files and directory except the data directory -ynh_secure_rm $final_path/cfg -ynh_secure_rm $final_path/CREDITS.md -ynh_secure_rm $final_path/i18n -ynh_secure_rm $final_path/index.php -ynh_secure_rm $final_path/js -ynh_secure_rm $final_path/README.md -ynh_secure_rm $final_path/tmp -ynh_secure_rm $final_path/CHANGELOG.md -ynh_secure_rm $final_path/css -ynh_secure_rm $final_path/favicon.ico -ynh_secure_rm $final_path/img -ynh_secure_rm $final_path/INSTALL.md -ynh_secure_rm $final_path/lib -ynh_secure_rm $final_path/robots.txt -ynh_secure_rm $final_path/tpl -ynh_secure_rm $final_path/data +ynh_secure_remove $final_path/cfg +ynh_secure_remove $final_path/CREDITS.md +ynh_secure_remove $final_path/i18n +ynh_secure_remove $final_path/index.php +ynh_secure_remove $final_path/js +ynh_secure_remove $final_path/README.md +ynh_secure_remove $final_path/tmp +ynh_secure_remove $final_path/CHANGELOG.md +ynh_secure_remove $final_path/css +ynh_secure_remove $final_path/favicon.ico +ynh_secure_remove $final_path/img +ynh_secure_remove $final_path/INSTALL.md +ynh_secure_remove $final_path/lib +ynh_secure_remove $final_path/robots.txt +ynh_secure_remove $final_path/tpl +ynh_secure_remove $final_path/data # Copy files to the right place extract_source $final_path @@ -46,11 +49,11 @@ extract_source $final_path # Files owned by root, www-data can just read sudo find $final_path -type f | xargs sudo chmod 644 sudo find $final_path -type d | xargs sudo chmod 755 -sudo chown -R root: $final_path +sudo chown -R $app: $final_path # except for data and tmp subdir, where www-data must have write permissions sudo mkdir -p $final_path/{data,tmp} -sudo chown -R www-data:root $final_path/{data,tmp} +sudo chown -R $app:root $final_path/{data,tmp} sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory @@ -62,7 +65,7 @@ sudo chown root: $nginxconf sudo chmod 600 $nginxconf # Create the php-fpm pool config -ynh_pool_fpm +ynh_fpm_config # Set ssowat config ynh_app_setting_set "$app" is_public "$is_public" From 37ce42d3720f921a76ad89d8ceca1c0b9cb76066 Mon Sep 17 00:00:00 2001 From: magikcypress Date: Mon, 17 Apr 2017 19:49:45 +0200 Subject: [PATCH 05/10] [fix] owner root root directory --- scripts/install | 2 +- scripts/upgrade | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index edba86f..86dd0ad 100644 --- a/scripts/install +++ b/scripts/install @@ -34,7 +34,7 @@ ynh_system_user_create $app # Files owned by user specific can just read sudo find $final_path -type f | xargs sudo chmod 644 sudo find $final_path -type d | xargs sudo chmod 755 -sudo chown -R $app: $final_path +sudo chown -R root: $final_path # except for data and tmp subdir, where www-data must have write permissions sudo mkdir -p $final_path/{data,tmp} diff --git a/scripts/upgrade b/scripts/upgrade index 3e3286e..6d146b7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -49,7 +49,7 @@ extract_source $final_path # Files owned by root, www-data can just read sudo find $final_path -type f | xargs sudo chmod 644 sudo find $final_path -type d | xargs sudo chmod 755 -sudo chown -R $app: $final_path +sudo chown -R root: $final_path # except for data and tmp subdir, where www-data must have write permissions sudo mkdir -p $final_path/{data,tmp} From ed68227b97ca7aa0f4e0d0f9450df936e867585f Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Tue, 16 May 2017 20:44:51 +0200 Subject: [PATCH 06/10] Various fixes --- check_process | 8 +++----- conf/nginx.conf | 2 +- scripts/_common | 26 +++++++++++++++++++++++++- scripts/install | 18 +++++++----------- scripts/restore | 22 ++++++++++++++++------ scripts/upgrade | 1 + 6 files changed, 53 insertions(+), 24 deletions(-) diff --git a/check_process b/check_process index 9956847..5f2b2cd 100644 --- a/check_process +++ b/check_process @@ -14,13 +14,8 @@ upgrade=1 backup_restore=1 multi_instance=1 - wrong_user=1 - wrong_path=1 incorrect_path=1 - corrupt_source=0 - fail_download_source=0 port_already_use=0 - final_path_already_use=0 ;;; Levels Level 1=auto Level 2=auto @@ -32,3 +27,6 @@ Level 8=0 Level 9=0 Level 10=0 +;;; Options +Email= +Notification=none \ No newline at end of file diff --git a/conf/nginx.conf b/conf/nginx.conf index 71a8b38..36f2f05 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,7 +7,7 @@ location YNH_WWW_PATH { try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass unix:/var/run/php5-fpm-YNH_NAME.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; diff --git a/scripts/_common b/scripts/_common index 5753486..e80c476 100644 --- a/scripts/_common +++ b/scripts/_common @@ -144,4 +144,28 @@ ynh_compare_checksum_config () { echo "$backup_config_file" # Return the name of the backup file fi fi -} \ No newline at end of file +} + +# Normalize the url path syntax +# Handle the slash at the beginning of path and its absence at ending +# Return a normalized url path +# +# example: url_path=$(ynh_normalize_url_path $url_path) +# ynh_normalize_url_path example -> /example +# ynh_normalize_url_path /example -> /example +# ynh_normalize_url_path /example/ -> /example +# ynh_normalize_url_path / -> / +# +# usage: ynh_normalize_url_path path_to_normalize +# | arg: url_path_to_normalize - URL path to normalize before using it +ynh_normalize_url_path () { + path_url=$1 + test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing." + if [ "${path_url:0:1}" != "/" ]; then # If the first character is not a / + path_url="/$path_url" # Add / at begin of path variable + fi + if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then # If the last character is a / and that not the only character. + path_url="${path_url:0:${#path_url}-1}" # Delete the last character + fi + echo $path_url +} diff --git a/scripts/install b/scripts/install index 86dd0ad..8887354 100644 --- a/scripts/install +++ b/scripts/install @@ -9,19 +9,13 @@ source /usr/share/yunohost/helpers # Retrieve arguments domain=$YNH_APP_ARG_DOMAIN -path=$YNH_APP_ARG_PATH +path=$(ynh_normalize_url_path $YNH_APP_ARG_PATH) is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME # Check domain/path availability -sudo yunohost app checkurl "${domain}${path}" -a "$app" \ - || ynh_die "Path not available: ${domain}${path}" - -# Remove trailing "/" for next commands -if [[ ! "$path" == "/" ]]; then - path=${path%/} -fi +sudo yunohost app checkurl "${domain}${path}" -a "$app" # Copy files to the right place final_path=/var/www/$app @@ -44,6 +38,7 @@ sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory sed -i "s@YNH_WWW_PATH@$path@g" ../conf/nginx.conf sed -i "s@YNH_WWW_ALIAS@$final_path/@g" ../conf/nginx.conf +sed -i "s@YNH_NAME@$app@g" ../conf/nginx.conf nginxconf=/etc/nginx/conf.d/$domain.d/$app.conf sudo cp ../conf/nginx.conf $nginxconf sudo chown root: $nginxconf @@ -53,10 +48,11 @@ sudo chmod 600 $nginxconf ynh_fpm_config # Set ssowat config -if [ "$is_public" = "No" ]; +ynh_app_setting_set $app is_public "$is_public" +if [ "$is_public" = "Yes" ]; then - ynh_app_setting_delete $app skipped_uris + ynh_app_setting_set $app unprotected_uris "/" fi sudo systemctl reload nginx -sudo yunohost app ssowatconf \ No newline at end of file +sudo yunohost app ssowatconf diff --git a/scripts/restore b/scripts/restore index 6a981a9..55b37a3 100644 --- a/scripts/restore +++ b/scripts/restore @@ -3,6 +3,12 @@ # causes the shell to exit if any subcommand or pipeline returns a non-zero status set -eu +if [ ! -e _common ]; then + # Fetch helpers file if not in current directory + sudo cp ../settings/scripts/_common ./_common + sudo chmod a+rx _common +fi +source _common # Source app helpers source /usr/share/yunohost/helpers @@ -25,8 +31,7 @@ user=$(ynh_app_setting_get $app allowed_users) is_public=$(ynh_app_setting_get $app is_public) # Check domain/path availability -sudo yunohost app checkurl "${domain}${path}" -a "$app" \ - || ynh_die "Path not available: ${domain}${path}" +sudo yunohost app checkurl "${domain}${path}" -a "$app" # Check $final_path final_path="/var/www/${app}" @@ -52,24 +57,29 @@ if [ -f $phpfpm_ini ]; then ynh_die "The PHP FPM INI configuration already exists at '${phpfpm_ini}'. You should safely delete it before restoring this app." fi +# Create dedicated system user for this app +ynh_system_user_create $app # Restore sources & data sudo cp -a "./sources" $final_path # Set permissions sudo chown -R root:root $final_path -sudo chown -R www-data:root $final_path/{data,tmp} +sudo chown -R $app:root $final_path/{data,tmp} sudo chmod -R 700 $final_path/{data,tmp} # Restore configuration files sudo cp -a ./conf/nginx.conf "${nginx_conf}" +sudo cp -a ./php-fpm.conf "$phpfpm_conf" +sudo cp -a ./php-fpm.ini "$phpfpm_ini" # Set ssowat config -if [ "$is_public" = "No" ]; +if [ "$is_public" = "Yes" ]; then - ynh_app_setting_delete $app skipped_uris + ynh_app_setting_set $app unprotected_uris "/" fi # Reload service sudo systemctl reload nginx -sudo yunohost app ssowatconf \ No newline at end of file +sudo systemctl reload php5-fpm +sudo yunohost app ssowatconf diff --git a/scripts/upgrade b/scripts/upgrade index 6d146b7..327c565 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -59,6 +59,7 @@ sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory sed -i "s@YNH_WWW_PATH@$path@g" ../conf/nginx.conf sed -i "s@YNH_WWW_ALIAS@$final_path/@g" ../conf/nginx.conf +sed -i "s@YNH_NAME@$app@g" ../conf/nginx.conf nginxconf=/etc/nginx/conf.d/$domain.d/$app.conf sudo cp ../conf/nginx.conf $nginxconf sudo chown root: $nginxconf From dd41ade2baa6529ffd4a05d854898d2c5ed25c03 Mon Sep 17 00:00:00 2001 From: magikcypress Date: Sat, 20 May 2017 19:40:39 +0200 Subject: [PATCH 07/10] [fix] is_public boolean && add nginx configuration helper --- conf/nginx.conf | 8 ++++---- manifest.json | 4 ++-- scripts/_common | 37 ++++++++++++++++++++++++++++++++++++- scripts/install | 15 +++++---------- scripts/restore | 6 +++++- scripts/upgrade | 17 +++++++---------- 6 files changed, 59 insertions(+), 28 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 71a8b38..f33312c 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,5 +1,5 @@ -location YNH_WWW_PATH { - alias YNH_WWW_ALIAS ; +location __PATH__ { + alias __FINALPATH__; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } @@ -7,7 +7,7 @@ location YNH_WWW_PATH { try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_pass unix:/var/run/php5-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; @@ -16,5 +16,5 @@ location YNH_WWW_PATH { } # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; + # include conf.d/yunohost_panel.conf.inc; } diff --git a/manifest.json b/manifest.json index 173f588..4236550 100644 --- a/manifest.json +++ b/manifest.json @@ -43,12 +43,12 @@ }, { "name": "is_public", + "type": "boolean", "ask": { "en": "Is it a public Zerobin site ?", "fr": "Est-ce un site public ?" }, - "choices": ["Yes", "No"], - "default": "Yes" + "default": "true" } ] } diff --git a/scripts/_common b/scripts/_common index 5753486..00d8195 100644 --- a/scripts/_common +++ b/scripts/_common @@ -22,7 +22,7 @@ ynh_store_checksum_config () { ynh_app_setting_set $app $config_file_checksum $(sudo md5sum "$1" | cut -d' ' -f1) } -extract_source() { +extract_source () { local DESTDIR=$1 # retrieve and extract Roundcube tarball @@ -36,6 +36,41 @@ extract_source() { sudo rm "$rc_tarball" } + +# Add config nginx +ynh_nginx_config () { + finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_compare_checksum_config "$finalnginxconf" 1 + sudo cp ../conf/nginx.conf "$finalnginxconf" + + # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. + # Substitute in a nginx config file only if the variable is not empty + if test -n "${path:-}"; then + ynh_substitute_char "__PATH__" "$path" "$finalnginxconf" + fi + if test -n "${domain:-}"; then + ynh_substitute_char "__DOMAIN__" "$domain" "$finalnginxconf" + fi + if test -n "${port:-}"; then + ynh_substitute_char "__PORT__" "$port" "$finalnginxconf" + fi + if test -n "${app:-}"; then + ynh_substitute_char "__NAME__" "$app" "$finalnginxconf" + fi + if test -n "${final_path:-}"; then + ynh_substitute_char "__FINALPATH__" "$final_path" "$finalnginxconf" + fi + ynh_store_checksum_config "$finalnginxconf" + + sudo systemctl reload nginx +} + +# Remove config nginx +ynh_remove_nginx_config () { + ynh_secure_remove "/etc/nginx/conf.d/$domain.d/$app.conf" + sudo systemctl reload nginx +} + ynh_fpm_config () { finalphpconf="/etc/php5/fpm/pool.d/$app.conf" ynh_compare_checksum_config "$finalphpconf" 1 diff --git a/scripts/install b/scripts/install index 86dd0ad..ced0633 100644 --- a/scripts/install +++ b/scripts/install @@ -42,20 +42,15 @@ sudo chown -R $app:root $final_path/{data,tmp} sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory -sed -i "s@YNH_WWW_PATH@$path@g" ../conf/nginx.conf -sed -i "s@YNH_WWW_ALIAS@$final_path/@g" ../conf/nginx.conf -nginxconf=/etc/nginx/conf.d/$domain.d/$app.conf -sudo cp ../conf/nginx.conf $nginxconf -sudo chown root: $nginxconf -sudo chmod 600 $nginxconf +ynh_nginx_config # Create the php-fpm pool config ynh_fpm_config -# Set ssowat config -if [ "$is_public" = "No" ]; -then - ynh_app_setting_delete $app skipped_uris +# If app is public, add url to SSOWat conf as skipped_uris +if [[ $is_public -eq 1 ]]; then + # unprotected_uris allows SSO credentials to be passed anyway. + ynh_app_setting_set "$app" unprotected_uris "/" fi sudo systemctl reload nginx diff --git a/scripts/restore b/scripts/restore index 6a981a9..052c513 100644 --- a/scripts/restore +++ b/scripts/restore @@ -61,9 +61,13 @@ sudo chown -R root:root $final_path sudo chown -R www-data:root $final_path/{data,tmp} sudo chmod -R 700 $final_path/{data,tmp} -# Restore configuration files +# Restore nginx configuration files sudo cp -a ./conf/nginx.conf "${nginx_conf}" +# Restore php-fpm configuration files +sudo cp -a ./conf/php-fpm.conf "${phpfpm_conf}" +sudo cp -a ./conf/php-fpm.ini "${phpfpm_ini}" + # Set ssowat config if [ "$is_public" = "No" ]; then diff --git a/scripts/upgrade b/scripts/upgrade index 6d146b7..755853e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -57,21 +57,18 @@ sudo chown -R $app:root $final_path/{data,tmp} sudo chmod 700 $final_path/{data,tmp} # Modify Nginx configuration file and copy it to Nginx conf directory -sed -i "s@YNH_WWW_PATH@$path@g" ../conf/nginx.conf -sed -i "s@YNH_WWW_ALIAS@$final_path/@g" ../conf/nginx.conf -nginxconf=/etc/nginx/conf.d/$domain.d/$app.conf -sudo cp ../conf/nginx.conf $nginxconf -sudo chown root: $nginxconf -sudo chmod 600 $nginxconf +ynh_nginx_config # Create the php-fpm pool config ynh_fpm_config # Set ssowat config -ynh_app_setting_set "$app" is_public "$is_public" -if [ "$is_public" = "Yes" ]; -then - ynh_app_setting_set "$app" unprotected_uris "/" +if [ "$is_public" = "Yes" ]; then + ynh_app_setting_set $app is_public 1 # Fixe is_public en booléen + is_public=1 +else + ynh_app_setting_set $app is_public 0 + is_public=0 fi # Reload Nginx From d87789ffa5dea30fe5c1ecd29a779c5a90ee70da Mon Sep 17 00:00:00 2001 From: magikcypress Date: Sat, 20 May 2017 20:28:11 +0200 Subject: [PATCH 08/10] [fix] incorrect merge --- scripts/install | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/install b/scripts/install index 2a999ca..c3036ab 100644 --- a/scripts/install +++ b/scripts/install @@ -41,18 +41,10 @@ ynh_nginx_config # Create the php-fpm pool config ynh_fpm_config -<<<<<<< HEAD # If app is public, add url to SSOWat conf as skipped_uris if [[ $is_public -eq 1 ]]; then # unprotected_uris allows SSO credentials to be passed anyway. ynh_app_setting_set "$app" unprotected_uris "/" -======= -# Set ssowat config -ynh_app_setting_set $app is_public "$is_public" -if [ "$is_public" = "Yes" ]; -then - ynh_app_setting_set $app unprotected_uris "/" ->>>>>>> ed68227b97ca7aa0f4e0d0f9450df936e867585f fi sudo systemctl reload nginx From f375c49c630ddb007f57bd7f131526aadacc2d56 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Fri, 2 Jun 2017 20:00:35 +0200 Subject: [PATCH 09/10] Fix is_public value --- check_process | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/check_process b/check_process index 5f2b2cd..419b455 100644 --- a/check_process +++ b/check_process @@ -3,7 +3,7 @@ ; Manifest domain="domain.tld" (DOMAIN) path="/path" (PATH) - is_public="Yes" (PUBLIC|public=Yes|private=No) + is_public=1 (PUBLIC|public=1|private=0) ; Checks pkg_linter=1 setup_sub_dir=1 @@ -29,4 +29,4 @@ Level 10=0 ;;; Options Email= -Notification=none \ No newline at end of file +Notification=none From aa44568e7b2e370a8fb2d3f1a440581ef8254cf4 Mon Sep 17 00:00:00 2001 From: magikcypress Date: Sat, 3 Jun 2017 16:37:08 +0200 Subject: [PATCH 10/10] [fix] Delete lines for php5-fpm config restore --- conf/nginx.conf | 2 +- scripts/restore | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 01812cd..026b928 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,5 +1,5 @@ location __PATH__ { - alias __FINALPATH__; + alias __FINALPATH__/; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } diff --git a/scripts/restore b/scripts/restore index 9347448..1b382c8 100644 --- a/scripts/restore +++ b/scripts/restore @@ -70,12 +70,9 @@ sudo chmod -R 700 $final_path/{data,tmp} # Restore nginx configuration files sudo cp -a ./conf/nginx.conf "${nginx_conf}" -sudo cp -a ./php-fpm.conf "$phpfpm_conf" -sudo cp -a ./php-fpm.ini "$phpfpm_ini" - # Restore php-fpm configuration files -sudo cp -a ./conf/php-fpm.conf "${phpfpm_conf}" -sudo cp -a ./conf/php-fpm.ini "${phpfpm_ini}" +sudo cp -a ./php-fpm.conf "${phpfpm_conf}" +sudo cp -a ./php-fpm.ini "${phpfpm_ini}" # Set ssowat config if [ "$is_public" = "Yes" ];