Skip to content

Latest commit

 

History

History
100 lines (76 loc) · 2.99 KB

README.adoc

File metadata and controls

100 lines (76 loc) · 2.99 KB

Turris Authenticator for web applications

This implements a simple login gateway for Turris web interface. It can be easily applied to any website and that way protects any web application running on the router.

Installation

The installation can be performed as you are used to installing any other Python packages from sources. For example with pip you can run following command in the project directory:

pip3 install .

To make it all work you have to include the appropriate configuration in the Lighttpd. It is enough to include the following line in the configuration file:

include_shell "turris-auth-server --lighttpd-config"

Enable for the web

To enable authentication for specific URL you can just add to the relevant lighttpd configuration section the setting fastcgi.server with server ( turris_auth_scriptname ⇒ turris_auth ).

For Netdata this would look like this:

$HTTP["url"] =~ "^/netdata" {
	fastcgi.server = ( "/netdata" => ( turris_auth_scriptname => turris_auth ))
}

Some web applications configure their index page to be cached. The effect is that once accessed the core web page is not requested again and is instead served from cache. This creates an issue, if user logouts or if login timeouts. The user is simply never redirected to login page. The solution is to always force revalidation. The revalidation makes use of cache but only if response is valid so network traffic is somewhat saved. To force revalidation you can add the line:

setenv.add-response-header = ("Cache-Control" => "must-revalidate, proxy-revalidate, max-age=0")

Configuration

Warning
The configuration is performed through UCI. The passwords should not be stored in the plain form they are stored hashed and producing the correct value is not direct. Because of that, we provide simple tool set-turris-auth. You should use that to set or change password instead (unless you know what you are doing).

The configuration is stored in UCI config turris-auth. Right now the only expected section is of type auth with value admin which is expected to contain:

password

This is hash of password

config auth 'admin'
	option password '$p5k2$3e8$0rDNDvAY$kymkJgP.A3JR69dEHAr7EDPnsybVqxeW'

Localization

Strings in this project can be translated on Weblate.

To pull the latest changes the maintainers have to do:

git remote add weblate https://hosted.weblate.org/git/turris/turris-auth/
git fetch weblate
git merge weblate/master
Warning
The content should be always checked to see if there are not possible injection attempts.