Merge pull request FreshRSS#2220 from FreshRSS/dev

FreshRSS 1.13.1
Leepic · Jan 26, 2019 · 8dcdde6 · 8dcdde6
2 parents f0a3596 + 38e8e26
commit 8dcdde6
Show file tree

Hide file tree

Showing 57 changed files with 428 additions and 171 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,38 @@
 # FreshRSS changelog
 
+## 2019-01-26 FreshRSS 1.13.1
+
+* Features
+	* Include articles with custom labels during export [#2196](https://github.com/FreshRSS/FreshRSS/issues/2196)
+	* Export/import articles read/unread state [#2226](https://github.com/FreshRSS/FreshRSS/pull/2226)
+	* Import FeedBin, and more robust general import [#2228](https://github.com/FreshRSS/FreshRSS/pull/2228)
+* Bug fixing
+	* Fix missing HTTP `X-Forwarded-Prefix` in cookie path behind a reverse-proxy [#2201](https://github.com/FreshRSS/FreshRSS/pull/2201)
+* Deployment
+	* Docker improvements [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202)
+		* Performance: Hard-include Apache .htaccess to avoid having to scan for changes in those files
+		* Performance: Disable unused Apache security check of symlinks
+		* Performance: Disable unused Apache modules
+		* Add option to mount custom `.htaccess` for HTTP authentication
+		* Docker logs gets PHP syslog messages (e.g. from cron job and when fetching external content)
+	* New environment variable `COPY_SYSLOG_TO_STDERR` or in `constants.local.php` to copy PHP syslog messages to STDERR [#2213](https://github.com/FreshRSS/FreshRSS/pull/2213)
+	* New `TZ` timezone environment variable [#2153](https://github.com/FreshRSS/FreshRSS/issues/2153)
+	* Run Docker cron job with Apache user instead of root [#2208](https://github.com/FreshRSS/FreshRSS/pull/2208)
+	* Accept HTTP header `X-WebAuth-User` for delegated HTTP Authentication [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204)
+* Extensions
+	* Trigger a `freshrss:openArticle` JavaScript event [#2222](https://github.com/FreshRSS/FreshRSS/pull/2222)
+* API
+	* Automatic test of API configuration [#2207](https://github.com/FreshRSS/FreshRSS/pull/2207)
+	* Performance + compatibility: Use Apache `SetEnvIf` module if available and fall-back to `RewriteRule` [#2202](https://github.com/FreshRSS/FreshRSS/pull/2202)
+* Security
+	* Fixes when HTTP user does not exist in FreshRSS [#2204](https://github.com/FreshRSS/FreshRSS/pull/2204)
+* I18n
+	* Improve Dutch [#2221](https://github.com/FreshRSS/FreshRSS/pull/2221)
+	* Improve Occitan [#2230](https://github.com/FreshRSS/FreshRSS/pull/2230)
+* Accessibility
+	* Remove alt in logo [#2209](https://github.com/FreshRSS/FreshRSS/pull/2209)
+
+
 ## 2018-12-22 FreshRSS 1.13.0
 
 * API
@@ -24,7 +57,7 @@
 		[#1620](https://github.com/FreshRSS/FreshRSS/issues/1620), [#2089](https://github.com/FreshRSS/FreshRSS/pull/2089),
 		[#2122](https://github.com/FreshRSS/FreshRSS/pull/2122), [#2161](https://github.com/FreshRSS/FreshRSS/pull/2161)
 * Deployment
-	* Support for `HTTP_X_FORWARDED_PREFIX` to ease the use of reverse proxies [#2191](https://github.com/FreshRSS/FreshRSS/pull/2191)
+	* Support for HTTP `X-Forwarded-Prefix` to ease the use of reverse proxies [#2191](https://github.com/FreshRSS/FreshRSS/pull/2191)
 		* Updated Docker + Træfik + Let’s Encrypt deployment guide [#2189](https://github.com/FreshRSS/FreshRSS/pull/2189)
 	* Docker image updated to Alpine 3.8.2 with PHP 7.2.13 and Apache 2.4.35
 	* Fix `.dockerignore` [#2195](https://github.com/FreshRSS/FreshRSS/pull/2195)

diff --git a/Docker/Dockerfile b/Docker/Dockerfile
@@ -1,24 +1,31 @@
 FROM alpine:3.8
 
+ENV TZ UTC
+
 RUN apk add --no-cache \
 	apache2 php7-apache2 \
 	php7 php7-curl php7-gmp php7-intl php7-mbstring php7-xml php7-zip \
 	php7-ctype php7-dom php7-fileinfo php7-iconv php7-json php7-session php7-simplexml php7-xmlreader php7-zlib \
-	php7-pdo_sqlite \
-	php7-pdo_mysql \
-	php7-pdo_pgsql
+	php7-pdo_sqlite php7-pdo_mysql php7-pdo_pgsql
 
-ENV FRESHRSS_ROOT /var/www/FreshRSS
-RUN mkdir -p ${FRESHRSS_ROOT} /run/apache2/
-WORKDIR ${FRESHRSS_ROOT}
+RUN mkdir -p /var/www/FreshRSS /run/apache2/
+WORKDIR /var/www/FreshRSS
 
-COPY . ${FRESHRSS_ROOT}
+COPY . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
-RUN sed -r -i "/^[ ]*(CustomLog|ErrorLog|Listen) /s/^/#/" /etc/apache2/httpd.conf && \
-	echo "17,37 * * * * php ${FRESHRSS_ROOT}/app/actualize_script.php 2>&1 | tee /tmp/FreshRSS.log" >> \
+RUN rm -f /etc/apache2/conf.d/languages.conf /etc/apache2/conf.d/info.conf \
+		/etc/apache2/conf.d/status.conf /etc/apache2/conf.d/userdir.conf && \
+	sed -r -i "/^\s*LoadModule .*mod_(alias|autoindex|negotiation|status).so$/s/^/#/" \ 
+		/etc/apache2/httpd.conf && \
+	sed -r -i "/^\s*#\s*LoadModule .*mod_(deflate|expires|headers|mime|setenvif).so$/s/^\s*#//" \ 
+		/etc/apache2/httpd.conf && \
+	sed -r -i "/^\s*(CustomLog|ErrorLog|Listen) /s/^/#/" \
+		/etc/apache2/httpd.conf && \
+	echo "17,37 * * * * su apache -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' 2>> /proc/1/fd/2 > /tmp/FreshRSS.log" >> \
 		/var/spool/cron/crontabs/root
 
+ENV COPY_SYSLOG_TO_STDERR On
 ENV CRON_MIN ''
 ENTRYPOINT ["./Docker/entrypoint.sh"]
 

diff --git a/Docker/FreshRSS.Apache.conf b/Docker/FreshRSS.Apache.conf
@@ -1,27 +1,27 @@
-<IfModule !deflate_module>
-	LoadModule deflate_module modules/mod_deflate.so
-</IfModule>
-<IfModule !expires_module>
-	LoadModule expires_module modules/mod_expires.so
-</IfModule>
-<IfModule !headers_module>
-	LoadModule headers_module modules/mod_headers.so
-</IfModule>
-<IfModule !mime_module>
-	LoadModule mime_module modules/mod_mime.so
-</IfModule>
-<IfModule !rewrite_module>
-	LoadModule rewrite_module modules/mod_rewrite.so
-</IfModule>
-
 ServerName freshrss.localhost
 Listen 0.0.0.0:80
 DocumentRoot /var/www/FreshRSS/p/
 CustomLog /dev/stdout combined
 ErrorLog /dev/stderr
 AllowEncodedSlashes On
 
+<Directory />
+	AllowOverride None
+	Options FollowSymLinks
+	Require all denied
+</Directory>
+
 <Directory /var/www/FreshRSS/p>
-	AllowOverride AuthConfig FileInfo Indexes Limit
+	AllowOverride None
+	Include /var/www/FreshRSS/p/.htaccess
+	Options FollowSymLinks
 	Require all granted
 </Directory>
+
+<Directory /var/www/FreshRSS/p/api>
+	Include /var/www/FreshRSS/p/api/.htaccess
+</Directory>
+
+<Directory /var/www/FreshRSS/p/i>
+	IncludeOptional /var/www/FreshRSS/p/i/.htaccess
+</Directory>
diff --git a/Docker/README.md b/Docker/README.md
@@ -66,6 +66,7 @@ sudo docker volume create freshrss-data
 sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
   -v freshrss-data:/var/www/FreshRSS/data \
   -e 'CRON_MIN=4,34' \
+  -e TZ=Europe/Paris \
   --net freshrss-network \
   --label traefik.port=80 \
   --label traefik.frontend.rule='Host:freshrss.example.net' \
@@ -74,6 +75,7 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
   --name freshrss freshrss/freshrss
 ```
 
+* Replace `TZ=Europe/Paris` by your [server timezone](http://php.net/timezones), or remove the line to use `UTC`.
 * If you cannot have FreshRSS at the root of a dedicated domain, update the command above according to the following model:
 	`--label traefik.frontend.rule='Host:freshrss.example.net;PathPrefixStrip:/FreshRSS/' \`
 * You may remove the `--label traefik.*` lines if you do not use Træfik.
@@ -205,6 +207,27 @@ sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
 
 ## More deployment options
 
+### Custom Apache configuration (advanced users)
+
+Changes in Apache `.htaccess` files are applied when restarting the container.
+In particular, if you want FreshRSS to use HTTP-based login (instead of the easier Web form login), you can mount your own `./FreshRSS/p/i/.htaccess`:
+
+```
+sudo docker run ...
+  -v /your/.htaccess:/var/www/FreshRSS/p/i/.htaccess \
+  -v /your/.htpasswd:/var/www/FreshRSS/data/.htpasswd \
+  ...
+  --name freshrss freshrss/freshrss
+```
+
+Example of `/your/.htaccess` referring to `/your/.htpasswd`:
+```
+AuthUserFile /var/www/FreshRSS/data/.htpasswd
+AuthName "FreshRSS"
+AuthType Basic
+Require valid-user
+```
+
 ### Example with [docker-compose](https://docs.docker.com/compose/)
 
 A [docker-compose.yml](docker-compose.yml) file is given as an example, using PostgreSQL. In order to use it, you have to adapt:

diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh
@@ -5,6 +5,8 @@ php -f ./cli/prepare.php > /dev/null
 chown -R :www-data .
 chmod -R g+r . && chmod -R g+w ./data/
 
+find /etc/php*/ -name php.ini -exec sed -r -i "\#^;?date.timezone#s#^.*#date.timezone = $TZ#" {} \;
+
 if [ -n "$CRON_MIN" ]; then
 	sed -r -i "\#FreshRSS#s#^[^ ]+ #$CRON_MIN #" /var/spool/cron/crontabs/root
 fi

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
@@ -79,8 +79,12 @@ public function loginAction() {
 			Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin'));
 			break;
 		case 'http_auth':
+			Minz_Error::error(403, array('error' => array(_t('feedback.access.denied'),
+					' [HTTP Remote-User=' . htmlspecialchars(httpAuthUser(), ENT_NOQUOTES, 'UTF-8') . ']'
+				)), false);
+			break;
 		case 'none':
-			// It should not happened!
+			// It should not happen!
 			Minz_Error::error(404);
 		default:
 			// TODO load plugin instead