From ae76c986122d4f65b83ef102395eda64dea5e4f3 Mon Sep 17 00:00:00 2001 From: lapineige Date: Wed, 8 May 2019 17:01:54 +0200 Subject: [PATCH 1/2] Add Fail2ban support (#65) * Readme: Add welcome UI screenshoot It's always nice to have a quick look at the UI of the software you're going to install :) * Testing (#56) * Fix 413 request entity too large (#55) * [fix] 413 Request Entity Too Large * Remove ini file for php (#57) Have a look to YunoHost-Apps/nextcloud_ynh#138 for more information * Add fail2ban config * Add Fail2ban config removal helper * Enhance fail2ban config look * Add fail2ban backup * Restore fail2ban config * Add fail2ban config during upgrade To make sure any older version will get fail2ban support * Update minimum version to 3.5 This is needed for fail2ban helpers * Add fail2ban info * Fail2ban: Fix missing log file during install * Fix feil2ban regex * Fix fail2ban regex - 2 * Use ynh_systemd_action * Use long getopts arguments * Fix duplicated comment and remove blank space * Fix fail2ban regex in upgrade script * Improve regex - install This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Improve regex - upgrade This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Fix missing log file for fail2ban * Indentation and variable usage --- README.md | 6 +++++- manifest.json | 2 +- scripts/backup | 7 +++++++ scripts/install | 12 ++++++++++++ scripts/remove | 8 +++++++- scripts/restore | 8 ++++++++ scripts/upgrade | 13 ++++++++++++- 7 files changed, 52 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 38cf006..9df955c 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,9 @@ This is a Wallabag v2 package for YunoHost. +![wallabag start screen](https://www.linuxbabe.com/wp-content/uploads/2016/10/wallabag-quick-start-page.png) + + --- **NB: Since @jeromelebleu is no longer maintaining this package, I (@lapineige) take over this repository. But I have limited time and experience, so feel free to help !** @@ -26,6 +29,7 @@ this package: * Integrate with YunoHost users and SSO - i.e. logout button * Allow one user to be the administrator (set at the installation) * Asynchronous import using Redis (need to be enabled in the *Internal Settings*). RabbitMQ import not supported (yet ?) + * Supports fail2ban - protects you from password brute force attacks. ## Known issue(s) - Removing a Yunohost's user won't delete the related wallabag user, but only desactivate it. You need to manualy remove it from wallabag before. See: https://github.com/YunoHost-Apps/wallabag2_ynh/issues/39 @@ -45,7 +49,7 @@ For the migration process, please refer to the * YunoHost website: https://yunohost.org/ * [Video demo](https://player.vimeo.com/video/167435064) - +--- --- Wallabag pour Yunohost - [Version Française] --- diff --git a/manifest.json b/manifest.json index f51b0de..30bcb9e 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ }, "multi_instance": true, "requirements": { - "yunohost": ">= 2.7.12" + "yunohost": ">= 3.5.0" }, "services": [ "nginx", diff --git a/scripts/backup b/scripts/backup index 0d42f42..a607aa6 100644 --- a/scripts/backup +++ b/scripts/backup @@ -52,3 +52,10 @@ ynh_backup "/etc/php5/fpm/pool.d/$app.conf" ynh_mysql_dump_db "$db_name" > db.sql CHECK_SIZE "db.sql" + +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" diff --git a/scripts/install b/scripts/install index 93fc374..af7c450 100644 --- a/scripts/install +++ b/scripts/install @@ -130,6 +130,18 @@ exec_console $app "$final_path" fos:user:promote --super "$admin" # Configure Wallabag instance URL ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'" +#================================================= +# CONFIGURE FAIL2BAN +#================================================= + +# Create the log file is not already existing during install +mkdir -p "/var/www/$app/var/logs/" +touch "/var/www/$app/var/logs/prod.log" +chown $app: "/var/www/$app/var/logs/prod.log" +# Add fail2ban config +ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 + + #================================================= # NGINX CONFIGURATION #================================================= diff --git a/scripts/remove b/scripts/remove index 4a4ae81..174210a 100644 --- a/scripts/remove +++ b/scripts/remove @@ -55,8 +55,14 @@ ynh_remove_nginx_config systemctl restart php5-fpm systemctl reload nginx +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config + #================================================= # REMOVE DEDICATED USER #================================================= -ynh_system_user_delete $app \ No newline at end of file +ynh_system_user_delete $app diff --git a/scripts/restore b/scripts/restore index 3e82943..44bc1c8 100644 --- a/scripts/restore +++ b/scripts/restore @@ -76,6 +76,14 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing chown -R $app: $final_path +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" + +ynh_systemd_action --action=reload --service_name=fail2ban # Reload instead of restart for better performance + #================================================= # RESTORE PHP-FPM CONFIGURATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 6810d90..e66cb6e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -113,6 +113,17 @@ exec_console $app "${final_path}" cache:clear # Configure Wallabag instance URL ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'" +# Set-up fail2ban +# Create the log file is not already existing +if [ ! -f "$final_path/var/logs/prod.log" ] +then + mkdir -p "$final_path/var/logs/" + touch "$final_path/var/logs/prod.log" + chown $app: "$final_path/var/logs/prod.log" +fi +# Add fail2ban config +ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 # same as install config + #================================================= # NGINX CONFIGURATION #================================================= @@ -139,4 +150,4 @@ ynh_app_setting_set "$app" unprotected_uris "/" # RELOAD NGINX #================================================= systemctl restart php5-fpm -systemctl reload nginx \ No newline at end of file +systemctl reload nginx From 9649bdc73b793102cf140044fc0c59f2bc31818c Mon Sep 17 00:00:00 2001 From: lapineige Date: Wed, 8 May 2019 17:25:02 +0200 Subject: [PATCH 2/2] Update to 2.3.7 (#61) * Change version to 2.3.6 * Update to 2.3.6 * Update to 2.3.6 * Update to 2.3.7 * Update to 2.3.7 * Change version to 2.3.7 * Change version to 2.3.7 - fix French version * Update custom patches --- README.md | 4 +- conf/app.src | 4 +- manifest.json | 2 +- sources/patches/app-00-ldap-auth.patch | 86 ++++++------ .../app-01-logout-success-handler.patch | 124 +++++++++--------- 5 files changed, 114 insertions(+), 106 deletions(-) diff --git a/README.md b/README.md index 9df955c..1784c8d 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This is a Wallabag v2 package for YunoHost. **NB: Since @jeromelebleu is no longer maintaining this package, I (@lapineige) take over this repository. But I have limited time and experience, so feel free to help !** -**Shipped version:** 2.3.2 +**Shipped version:** 2.3.7 [Wallabag](https://www.wallabag.org/) is a self hostable Read-It-Later application allowing you to not miss any content anymore. Click, save, read it when you can. @@ -60,7 +60,7 @@ Paquet Wallabag v2 pour Yunohost. **NB: Depuis que @jeromelebleu ne maintiens plus ce paquet, je (@lapineige) reprends la charge de ce dépôt. Mais j'ai un temps et une expérience limitées, donc n'hésitez pas à donner un coup de main :) !** -**Version actuelle:** 2.3.2 +**Version actuelle:** 2.3.7 [Wallabag](https://www.wallabag.org/) est une application de lecture différée : elle permet simplement d’archiver une page web en ne conservant que le contenu. Les éléments superflus (menus, publicités, etc.) sont supprimés. diff --git a/conf/app.src b/conf/app.src index 9961d0e..75a4f17 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,3 +1,3 @@ -SOURCE_URL=https://static.wallabag.org/releases/wallabag-release-2.3.2.tar.gz -SOURCE_SUM=047a49d48a1199bd1634cab76d4af3dba95096885d4f7814377210fa76fbcc9f +SOURCE_URL=https://static.wallabag.org/releases/wallabag-release-2.3.7.tar.gz +SOURCE_SUM=e223de12d8ea9f889e8660df4555c37c965f5ae1ca77af3d3532ab76889762cf SOURCE_FORMAT=tar.gz diff --git a/manifest.json b/manifest.json index 30bcb9e..ba309d0 100644 --- a/manifest.json +++ b/manifest.json @@ -8,7 +8,7 @@ }, "url": "https://www.wallabag.org", "license": "MIT", - "version": "2.3.2-1", + "version": "2.3.7", "maintainer": { "name": "lapineige", "email": "" diff --git a/sources/patches/app-00-ldap-auth.patch b/sources/patches/app-00-ldap-auth.patch index 5742009..3a36f5e 100644 --- a/sources/patches/app-00-ldap-auth.patch +++ b/sources/patches/app-00-ldap-auth.patch @@ -1,40 +1,46 @@ ---- a/app/config/services.yml 2016-05-25 18:09:56.374914445 +0200 -+++ b/app/config/services.yml 2016-05-25 18:07:38.775042951 +0200 -@@ -43,6 +43,10 @@ - tags: - - { name: kernel.event_listener, event: security.interactive_login, method: onInteractiveLogin } - -+ yunohost.ldap: -+ class: Symfony\Component\Ldap\LdapClient -+ arguments: ["localhost"] -+ - craue_config_cache_provider: - class: Symfony\Component\Cache\Adapter\FilesystemAdapter - public: false ---- a/app/config/security.yml 2016-05-25 18:09:46.814645164 +0200 -+++ b/app/config/security.yml 2016-05-25 18:07:38.775042951 +0200 -@@ -13,6 +13,14 @@ - property: username - fos_userbundle: - id: fos_user.user_provider.username -+ yunohost_users: -+ ldap: -+ service: yunohost.ldap -+ base_dn: ou=users,dc=yunohost,dc=org -+ search_dn: -+ search_password: -+ filter: (&(uid={username})(objectClass=posixAccount)) -+ default_roles: ROLE_USER - - # the main part of the security, where you can set up firewalls - # for specific sections of your app -@@ -38,6 +46,9 @@ - - secured_area: - pattern: ^/ -+ http_basic_ldap: -+ service: yunohost.ldap -+ dn_string: "uid={username},ou=users,dc=yunohost,dc=org" - form_login: - provider: fos_userbundle - csrf_token_generator: security.csrf.token_manager +diff --git a/app/config/security.yml b/app/config/security.yml +index 02afc9ea..5a3f7a34 100644 +--- a/app/config/security.yml ++++ b/app/config/security.yml +@@ -13,6 +13,14 @@ security: + property: username + fos_userbundle: + id: fos_user.user_provider.username_email ++ yunohost_users: ++ ldap: ++ service: yunohost.ldap ++ base_dn: ou=users,dc=yunohost,dc=org ++ search_dn: ++ search_password: ++ filter: (&(uid={username})(objectClass=posixAccount)) ++ default_roles: ROLE_USER + + # the main part of the security, where you can set up firewalls + # for specific sections of your app +@@ -38,6 +46,9 @@ security: + + secured_area: + pattern: ^/ ++ http_basic_ldap: ++ service: yunohost.ldap ++ dn_string: "uid={username},ou=users,dc=yunohost,dc=org" + form_login: + provider: fos_userbundle + csrf_token_generator: security.csrf.token_manager +diff --git a/app/config/services.yml b/app/config/services.yml +index 7b85d846..f23961c5 100644 +--- a/app/config/services.yml ++++ b/app/config/services.yml +@@ -43,6 +43,10 @@ services: + tags: + - { name: kernel.event_listener, event: security.interactive_login, method: onInteractiveLogin } + ++ yunohost.ldap: ++ class: Symfony\Component\Ldap\LdapClient ++ arguments: ["localhost"] ++ + craue_config_cache_provider: + class: Symfony\Component\Cache\Adapter\FilesystemAdapter + public: false +-- +2.17.1 diff --git a/sources/patches/app-01-logout-success-handler.patch b/sources/patches/app-01-logout-success-handler.patch index 166643d..d321d54 100644 --- a/sources/patches/app-01-logout-success-handler.patch +++ b/sources/patches/app-01-logout-success-handler.patch @@ -1,61 +1,63 @@ -diff --git a/app/config/security.yml b/app/config/security.yml -index b07b509..62f2550 100644 ---- a/app/config/security.yml -+++ b/app/config/security.yml -@@ -60,7 +60,7 @@ security: - - logout: - path: /logout -- target: / -+ success_handler: yunohost.logout_success_handler - - access_control: - - { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY } -diff --git a/app/config/services.yml b/app/config/services.yml -index 8a09fde..ee63e06 100644 ---- a/app/config/services.yml -+++ b/app/config/services.yml -@@ -43,6 +43,10 @@ - tags: - - { name: kernel.event_listener, event: security.interactive_login, method: onInteractiveLogin } - -+ yunohost.logout_success_handler: -+ class: Wallabag\YunoHostBundle\Security\LogoutSuccessHandler -+ -+ - yunohost.ldap: - class: Symfony\Component\Ldap\LdapClient - arguments: ["localhost"] -diff --git a/src/Wallabag/YunoHostBundle/Security/LogoutSuccessHandler.php b/src/Wallabag/YunoHostBundle/Security/LogoutSuccessHandler.php -new file mode 100644 -index 0000000..b326824 ---- /dev/null -+++ b/src/Wallabag/YunoHostBundle/Security/LogoutSuccessHandler.php -@@ -0,0 +1,27 @@ -+