This implements a simple login gateway for Turris web interface. It can be easily applied to any website and that way protects any web application running on the router.
The installation can be performed as you are used to installing any other Python packages from sources. For example with pip you can run following command in the project directory:
pip3 install .To make it all work you have to include the appropriate configuration in the Lighttpd. It is enough to include the following line in the configuration file:
include_shell "turris-auth-server --lighttpd-config"
To enable authentication for specific URL you can just add to the relevant
lighttpd configuration section the setting fastcgi.server with server (
turris_auth_scriptname ⇒ turris_auth ).
For Netdata this would look like this:
$HTTP["url"] =~ "^/netdata" {
fastcgi.server = ( "/netdata" => ( turris_auth_scriptname => turris_auth ))
}
Some web applications configure their index page to be cached. The effect is that once accessed the core web page is not requested again and is instead served from cache. This creates an issue, if user logouts or if login timeouts. The user is simply never redirected to login page. The solution is to always force revalidation. The revalidation makes use of cache but only if response is valid so network traffic is somewhat saved. To force revalidation you can add the line:
setenv.add-response-header = ("Cache-Control" => "must-revalidate, proxy-revalidate, max-age=0")
|
Warning
|
The configuration is performed through UCI. The passwords should not be stored
in the plain form they are stored hashed and producing the correct value is
not direct. Because of that, we provide simple tool set-turris-auth. You
should use that to set or change password instead (unless you know what you
are doing).
|
The configuration is stored in UCI config turris-auth. Right now the only
expected section is of type auth with value admin which is expected to
contain:
- password
-
This is hash of password
config auth 'admin' option password '$p5k2$3e8$0rDNDvAY$kymkJgP.A3JR69dEHAr7EDPnsybVqxeW'
Strings in this project can be translated on Weblate.
To pull the latest changes the maintainers have to do:
git remote add weblate https://hosted.weblate.org/git/turris/turris-auth/ git fetch weblate git merge weblate/master
|
Warning
|
The content should be always checked to see if there are not possible injection attempts. |