search

EnigmaCurry / d.rymcg.tech

A collection of self-hosted docker-compose projects with Traefik reverse proxy, integrated auth, and administrative Makefiles for easy maintainance
MIT License
49 stars 8 forks source link

add mtls to ttrss #242

Closed mcmikemn closed 3 months ago

mcmikemn commented 3 months ago

Added mTLS to TTRSS and it works fine if you use TTRSS from its web UI. But if you use a client app (e.g., the official Tiny Tiny RSS for Android, or third party Android apps like TTRSS-Reader, Tiny Tiny Feed, Geekttrss), the client app can't connect to the TTRSS Server.

TTRSS does support SSL cert auth, but if that's going to allow client apps to access the TTRSS server via mTLS, installation of TTRSS might need to be something like:

  1. d make step-ca cert to create the cert you want your android app to use
  2. d make ttrss config would ask which cert in step-ca/certs you want to use
  3. d make ttrss install would build container with Dockerfile:
    1. copying the cert to correct directory in web-nginx container
    2. running sudo update-ca-certificates in web-nginx container
    3. modifying nginx.conf in web-nginx container
    4. restarting nginx in web-nginx container
  4. d make ttrss install would shred the selected cert files (or maybe ask user first)
  5. d make ttrss open and in TTRSS UI, go to Preferences and scroll to the bottom; under "Login with an SSL certificate" the "Register" button should now be available - click it, then Save configuration.

This PR is probably worth merging as-is, in case someone wants to use TTRSS strictly from its web UI and wants mTLS. But I don't think it's worth the effort of making mTLS work with TTRSS client apps. The official app has support for HTTP Basic Auth.

EnigmaCurry commented 3 months ago

I dont understand why steps 2,3,4 need to happen. You should just need to do step 1 and in config allow the cert name.

EnigmaCurry commented 3 months ago

Hmm it sounded like it wants to register the cert in the webapp itself? That wont work then, because its not transparent. You need to be able to register the cert in the client only, without needing to configure ttrss server.

Anyway, it looks good the way it is.

mcmikemn commented 3 months ago

I dont understand why steps 2,3,4 need to happen. You should just need to do step 1 and in config allow the cert name.

You're most likely correct. Step-ca and mTLS is still a bit confusing to me.

I just realized that the TTRSS app itself may not need to know anything about the mTLS certs. I might be able to install the .p12 from step 1 into Android and make sure TTRSS_MTLS_AUTHORIZED_CERTS=<client cert for my laptop>,<client cert for my android>, and that might be all it takes.

EnigmaCurry commented 3 months ago

Thats what I'm thinking, this should be all you need. If not open another issue.