From c12f7e8c50f78ada9e1eade21363223b517122e5 Mon Sep 17 00:00:00 2001 From: x86dev Date: Fri, 7 Jul 2017 13:31:48 +0200 Subject: [PATCH] - Made configuration more flexible by renaming TTRSS_SSL_ENABLED to TTRSS_WITH_SELFSIGNED_CERT. - Added new configuration options TTRSS_PROTO / TTRSS_PORT. - Added automatic support for VIRTUAL_HOST / VIRTUAL_PORT to make TT-RSS happy when using SELF_URL_PATH. - Updated README.md. --- README.md | 20 ++++++++++----- root/srv/setup-ttrss.sh | 54 ++++++++++++++++++++++++++++++++++------- 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index e379eea..8136119 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Next, run the actual TT-RSS instance by doing a: Running this command for the first time will download the image automatically. + ## Accessing your Tiny Tiny RSS (TT-RSS) The above example exposes the TT-RSS web interface on port 80 (http), so that you can browse to: @@ -59,11 +60,12 @@ Password: password ``` Obviously, you're recommended to change those ASAP. +See the next section about how to enable encryption support (via SSL/TLS). -## Enabling SSL/TLS encryption support +## Use self-signed certificates (SSL/TLS) -For enabling SSL/TLS support with a self-signed certificate you have to add `-e TTRSS_SSL_ENABLED=1 -p 443:4443` +For enabling SSL/TLS support with a self-signed certificate you have to add `-e TTRSS_WITH_SELFSIGNED_CERT=1 -p 443:4443` when running your TT-RSS container. Then you can access TT-RSS via: `https://`. **Warning: Running services unencrypted on the Internet is not recommended!** @@ -77,17 +79,20 @@ A nice thing to have is jwilder's [nginx-proxy](https://github.com/jwilder/nginx Docker container running on the same machine as this one. That way you easily can integrate your TT-RSS instance with an existing domain by using a sub domain -(e.g. https://ttrss.yourdomain.com). In combination with an official Let's Encrypt certificate you +(e.g. https://ttrss.yourdomain.tld). + +### Enabling SSL/TLS encryption support + +In combination with an official Let's Encrypt certificate you can get a nice A+ encryption/security rating over at [SSLLabs](https://www.ssllabs.com/ssltest/). -**Never run your services unencrypted!** ## Installation walkthrough ### Running Following Docker's best practices, this container does not contain its own database, -but instead expects you to supply a running instance. +but instead expects you to supply a running database instance. While slightly more complicated at first, this gives your more freedom as to which database instance and configuration you're relying on. Also, this makes this container quite disposable, as it doesn't store any sensitive @@ -126,8 +131,11 @@ default configuration, which can be changed by passing the following additional -e DB_PASS=ttrss ``` -#### Run on MySql +By default, a PostgreSQL database is needed. +#### Use a MySQL database + +Specify the following to use an existing MySQL database instead of a PostgreSQL one: ```bash -e DB_TYPE=mysql ``` diff --git a/root/srv/setup-ttrss.sh b/root/srv/setup-ttrss.sh index be18204..edbc353 100755 --- a/root/srv/setup-ttrss.sh +++ b/root/srv/setup-ttrss.sh @@ -10,7 +10,7 @@ setup_nginx() NGINX_CONF=/etc/nginx/nginx.conf - if [ "$TTRSS_SSL_ENABLED" = "1" ]; then + if [ "$TTRSS_WITH_SELFSIGNED_CERT" = "1" ]; then # Install OpenSSL. apk update && apk add openssl @@ -32,8 +32,9 @@ setup_nginx() chmod 600 "/etc/ssl/private/ttrss.key" chmod 600 "/etc/ssl/certs/ttrss.crt" else - echo "Setup: !!! WARNING !!! Turning OFF SSL/TLS !!! WARNING !!!" - echo "Setup: This is not recommended for a production server. You have been warned." + echo "Setup: !!! WARNING - No encryption (TLS) used - WARNING !!!" + echo "Setup: !!! This is not recommended for a production server !!!" + echo "Setup: You have been warned." # Turn off SSL. sed -i -e "s/listen\s*4443\s*;/listen 8080;/g" ${NGINX_CONF} @@ -58,20 +59,55 @@ setup_ttrss() # Add initial config. cp ${TTRSS_PATH}/config.php-dist ${TTRSS_PATH}/config.php - # Patch URL path. - if [ "$TTRSS_SSL_ENABLED" = "1" ]; then - sed -i -e 's@htt.*/@'"${SELF_URL_PATH-https://localhost/}"'@g' ${TTRSS_PATH}/config.php - else - sed -i -e 's@htt.*/@'"${SELF_URL_PATH-http://localhost/}"'@g' ${TTRSS_PATH}/config.php + # VIRTUAL_HOST + VIRTUAL_PORT are used by nginx-proxy. + + # Check if VIRTUAL_HOST is defined, and if so, use this as TTRSS_URL. + if [ -n ${VIRTUAL_HOST} ]; then + TTRSS_URL=${VIRTUAL_HOST} fi + # Ditto for TTRSS_PORT. + if [ -n ${VIRTUAL_PORT} ]; then + TTRSS_PORT=${VIRTUAL_PORT} + fi + + if [ "$TTRSS_WITH_SELFSIGNED_CERT" = "1" ]; then + + # Make sure the TTRSS protocol is https now. + TTRSS_PROTO=https + + # Set the default https port if not specified otherwise. + if [ -z ${TTRSS_PORT} ]; then + TTRSS_PORT=4443 + fi + fi + + # If no protocol is specified, use http as default. Not secure, I know. + if [ -z ${TTRSS_PROTO} ]; then + + TTRSS_PROTO=http + + # Set the default port if not specified otherwise. + if [ -z ${TTRSS_PORT} ]; then + TTRSS_PORT=8080 + fi + fi + + # Construct the final URL TTRSS will use. + TTRSS_SELF_URL=${TTRSS_PROTO}://${TTRSS_URL}:${TTRSS_PORT}/ + + echo "Setup: URL is: $TTRSS_SELF_URL" + + # Patch URL path. + sed -i -e 's@htt.*/@'"${TTRSS_SELF_URL}"'@g' ${TTRSS_PATH}/config.php + # Enable additional system plugins: api_newsplus. sed -i -e "s/.*define('PLUGINS'.*/define('PLUGINS', 'api_newsplus, auth_internal, note, updater');/g" ${TTRSS_PATH}/config.php } echo "Setup: Installing Tiny Tiny RSS ..." -setup_ttrss setup_nginx +setup_ttrss echo "Setup: Applying updates ..." /srv/update-ttrss.sh --no-start