mirror of
https://github.com/CyberMind-FR/secubox-deb.git
synced 2026-07-01 03:17:32 +00:00
Compare commits
No commits in common. "658ae8a36868328b4c0d979738d3762a77f98a06" and "c3cfd512d76d51cd5333186f901006b9d5d69b27" have entirely different histories.
658ae8a368
...
c3cfd512d7
|
|
@ -1,21 +1,3 @@
|
||||||
secubox-authelia (1.0.10-1~bookworm1) bookworm; urgency=medium
|
|
||||||
|
|
||||||
* Remove Authelia SSO entirely.
|
|
||||||
- nginx/authelia.conf: reduced to a permissive no-op gate. The
|
|
||||||
/__sbx_auth_verify auth_request endpoint now returns 200 for every
|
|
||||||
request; @sbx_auth_login is a harmless fallback to the app root.
|
|
||||||
Retained only because grafana/lyrion/yacy/rustdesk/fmrelay/zigbee/
|
|
||||||
nextcloud vhosts still reference these two named locations — without
|
|
||||||
them nginx fails to load. No SSO portal, no session check, no
|
|
||||||
Authelia socket dependency. Fixes the dead-portal 302 that produced
|
|
||||||
a password prompt on LAN clients.
|
|
||||||
- debian/postinst: stop enabling the FastAPI daemon; disable + mask
|
|
||||||
secubox-authelia.service so it cannot be resurrected.
|
|
||||||
- Apps keep their own native auth; LAN/exposure boundaries are
|
|
||||||
enforced by HAProxy + the WAF, not by this layer.
|
|
||||||
|
|
||||||
-- Gerald KERMA <devel@cybermind.fr> Mon, 29 Jun 2026 10:00:00 +0200
|
|
||||||
|
|
||||||
secubox-authelia (1.0.9-1~bookworm1) bookworm; urgency=medium
|
secubox-authelia (1.0.9-1~bookworm1) bookworm; urgency=medium
|
||||||
|
|
||||||
* Split SSO portal from operator dashboard (#310):
|
* Split SSO portal from operator dashboard (#310):
|
||||||
|
|
|
||||||
|
|
@ -25,12 +25,10 @@ case "$1" in
|
||||||
nginx -t >/dev/null 2>&1 && systemctl reload nginx 2>/dev/null || true
|
nginx -t >/dev/null 2>&1 && systemctl reload nginx 2>/dev/null || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Authelia SSO removed: never start/enable the daemon. Mask it so a
|
|
||||||
# stale unit or sibling dependency cannot resurrect it. The nginx
|
|
||||||
# gate is now a permissive no-op (see nginx/authelia.conf).
|
|
||||||
systemctl daemon-reload 2>/dev/null || true
|
systemctl daemon-reload 2>/dev/null || true
|
||||||
systemctl disable --now secubox-authelia.service 2>/dev/null || true
|
systemctl enable secubox-authelia.service 2>/dev/null || true
|
||||||
systemctl mask secubox-authelia.service 2>/dev/null || true
|
# Do not start the FastAPI before the LXC is provisioned;
|
||||||
|
# `autheliactl install` will start the service after the LXC is up.
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,26 +1,66 @@
|
||||||
# /etc/nginx/secubox.d/authelia.conf
|
# /etc/nginx/secubox.d/authelia.conf + /etc/nginx/secubox-routes.d/authelia.conf
|
||||||
|
# Installed by secubox-authelia (#239, split per #310)
|
||||||
#
|
#
|
||||||
# Authelia SSO has been REMOVED from SecuBox. This file is retained as a
|
# Authelia exposes:
|
||||||
# permissive no-op only because several app vhosts (grafana, lyrion, yacy,
|
# /api/v1/authelia/ → host FastAPI on Unix socket (CTL surface + /verify)
|
||||||
# rustdesk, fmrelay, zigbee, nextcloud) still carry the directives
|
# /auth/ → SecuBox AUTH config module (static dashboard)
|
||||||
# auth_request /__sbx_auth_verify;
|
# — control / status / metrics. NOT the portal.
|
||||||
# error_page 401 = @sbx_auth_login;
|
|
||||||
# in their location blocks. Without the two named locations below, nginx
|
|
||||||
# would fail to load. The gate now allows every request unconditionally —
|
|
||||||
# there is no SSO portal, no session check, no Authelia socket dependency.
|
|
||||||
#
|
#
|
||||||
# Apps keep their own native authentication (Grafana login, Nextcloud
|
# The actual Authelia portal lives on its own public vhost at
|
||||||
# login, etc.). LAN/exposure boundaries are enforced by HAProxy + the WAF,
|
# sso.gk2.secubox.in (see /etc/nginx/sites-available/authelia.conf).
|
||||||
# not by this layer.
|
# Sibling SSO-gated apps redirect to sso.gk2.secubox.in/?rd=… for login.
|
||||||
|
|
||||||
# Always-allow gate. auth_request succeeds for every request.
|
# Host control-plane API. Drives the SecuBox AUTH config UI below.
|
||||||
|
location /api/v1/authelia/ {
|
||||||
|
rewrite ^/api/v1/authelia/(.*)$ /$1 break;
|
||||||
|
proxy_pass http://unix:/run/secubox/authelia.sock;
|
||||||
|
include /etc/nginx/snippets/secubox-proxy.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
# SecuBox AUTH config module — static dashboard (control + status metrics).
|
||||||
|
# Calls /api/v1/authelia/* for sessions, components, access policy etc.,
|
||||||
|
# and offers an "Open SSO Portal →" button to https://sso.gk2.secubox.in/.
|
||||||
|
location /auth/ {
|
||||||
|
alias /usr/share/secubox/www/authelia/;
|
||||||
|
try_files $uri $uri/ /auth/index.html;
|
||||||
|
}
|
||||||
|
|
||||||
|
# nginx `auth_request` endpoint for SSO-less backends (yacy, rustdesk-web,
|
||||||
|
# mitmproxy-web). Backends include `auth_request /__sbx_auth_verify;` in
|
||||||
|
# their location blocks.
|
||||||
|
#
|
||||||
|
# LAN bypass: clients on trusted internal networks (LAN, LXC bridges,
|
||||||
|
# localhost) are allowed without an Authelia session — short-circuit
|
||||||
|
# with `return 200`. The `$lan_client` variable is defined by
|
||||||
|
# /etc/nginx/conf.d/secubox-lan-geo.conf (shipped by this package).
|
||||||
|
#
|
||||||
|
# Authelia's /api/verify needs the original URL/host to (a) pick the right
|
||||||
|
# session.cookies[] entry for session lookup (Authelia is multi-cookie:
|
||||||
|
# maegia.tv + the SecuBox hub domain) and (b) apply access_control rules.
|
||||||
|
# Without X-Original-URL the verify call defaults to the first cookies[]
|
||||||
|
# entry — the session created under the second domain is not found and
|
||||||
|
# Authelia returns 401 → infinite redirect loop with /auth/?rd=…
|
||||||
location = /__sbx_auth_verify {
|
location = /__sbx_auth_verify {
|
||||||
internal;
|
internal;
|
||||||
return 200;
|
if ($lan_client) { return 200; }
|
||||||
|
proxy_pass http://unix:/run/secubox/authelia.sock:/verify;
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_set_header Cookie $http_cookie;
|
||||||
|
proxy_set_header Authorization $http_authorization;
|
||||||
|
proxy_set_header X-Original-URL https://$host$request_uri;
|
||||||
|
proxy_set_header X-Forwarded-Method $request_method;
|
||||||
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Fallback target for any lingering `error_page 401`. Never reached while
|
# Named location consumed by every SSO-gated backend on the canonical hub
|
||||||
# the gate above returns 200; sends the user back to the app root.
|
# vhost (zigbee, lyrion, future apps) via `error_page 401 = @sbx_auth_login;`.
|
||||||
|
# 401 from auth_request → 302 to the public Authelia portal vhost
|
||||||
|
# (sso.gk2.secubox.in), carrying the original URL in `rd` so the user
|
||||||
|
# lands back where they started post-login.
|
||||||
location @sbx_auth_login {
|
location @sbx_auth_login {
|
||||||
return 302 https://$host/;
|
return 302 https://sso.gk2.secubox.in/?rd=https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -14,10 +14,7 @@ import asyncio
|
||||||
import os
|
import os
|
||||||
import time
|
import time
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
try:
|
import netstats # #758 — shared collector/reader module
|
||||||
from . import netstats # uvicorn `api.main:app` / aggregator import
|
|
||||||
except ImportError: # standalone with api/ on sys.path (collector)
|
|
||||||
import netstats # #758 — shared collector/reader module
|
|
||||||
|
|
||||||
app = FastAPI(title="secubox-hub", version="1.7.0", root_path="/api/v1/hub")
|
app = FastAPI(title="secubox-hub", version="1.7.0", root_path="/api/v1/hub")
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,3 @@
|
||||||
secubox-hub (1.5.1-1~bookworm1) bookworm; urgency=medium
|
|
||||||
|
|
||||||
* fix(#758): hub crash-loop — `import netstats` could not resolve.
|
|
||||||
netstats.py ships in the api/ package, but the service runs
|
|
||||||
`uvicorn api.main:app` with WorkingDirectory=/usr/lib/secubox/hub,
|
|
||||||
so the bare top-level import failed with ModuleNotFoundError and the
|
|
||||||
unit restarted ~9000 times. main.py now does `from . import netstats`
|
|
||||||
with a fallback to the top-level import (kept for the collector, which
|
|
||||||
adds api/ to sys.path explicitly). No API change.
|
|
||||||
|
|
||||||
-- Gerald KERMA <devel@cybermind.fr> Mon, 29 Jun 2026 10:30:00 +0200
|
|
||||||
|
|
||||||
secubox-hub (1.5.0-1~bookworm1) bookworm; urgency=medium
|
secubox-hub (1.5.0-1~bookworm1) bookworm; urgency=medium
|
||||||
|
|
||||||
* feat(#758): nft-based network-stats collector — root oneshot+timer samples
|
* feat(#758): nft-based network-stats collector — root oneshot+timer samples
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user