Cannot sign in in NetNewsWire or Reeder (Classic)

[translit]

Hi Eric.

I'm having issues connecting to my git (bare metal) installation of TT-RSS (not Docker).

When I visit https://ttrss.mydomain.com/plugins.local/freshapi/api/greader.php, I see 'OK'.

But when I attempt to connect, Reeder says 'Login Failed. The requested page was not found on the server. Please verify the URL and try again.' And NetNewsWire says 'Network Error. Try again later'.

I have, of course, followed your instructions for enabling the plugin.

What may I be doing wrong?

[eric-pierce]

Hey @translit, thanks for reaching out! If you're using a baremetal install the issue is likely that you don't have PATH_INFO enabled on your webserver. If you're using nginx this is as simple as modifying your nginx.conf file to enable PATH_INFO for plugins with "api" in the path. Here's an example of the relevant portion of the official docker image's nginx.conf

# Allow PATH_INFO for PHP files in plugins.local directories with an /api/ sub directory to allow plugins to leverage when desired
location ~ /plugins\.local/.*/api/.*\.php(/|$) {
    # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;

    # Check that the PHP script exists before passing it
    try_files $fastcgi_script_name = 404;

    # Bypass the fact that try_files resets $fastcgi_path_info
    # see: http://trac.nginx.org/nginx/ticket/321
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;

    fastcgi_index index.php;
    include fastcgi.conf;

    set $backend "127.0.0.1:9000";

    fastcgi_pass $backend;
}

If you want another example to compare against you can look at the updated nginx.conf from the awesome-ttrss project.

As this is built into the official docker images I didn't include it in the installation instructions, but as I've seen a few folks run into this I'll update to include it.

Let me know if that resolves the issue!

[translit]

Thanks, Eric. Still no luck. Tried both versions of the code (without really understanding what it does), but nginx fails to restart:

ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAIL

I guess it's time for me to switch to Docker.

[eric-pierce]

@translit while I do think the docker images are the simplest setup, if you want to stick with your baremetal install post your nginx.conf file here and I'll take a crack at updating it to support path_info

[translit]

Thank you! Here it is:

user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;

 events {
         worker_connections 768;
         # multi_accept on;
 }

 http {

         ##
         # Basic Settings
         ##

         sendfile on;
         tcp_nopush on;
         tcp_nodelay on;
         keepalive_timeout 65;
         types_hash_max_size 2048;
         server_tokens off;

         server_names_hash_bucket_size 64;
         # server_name_in_redirect off;

         include /etc/nginx/mime.types;
         default_type application/octet-stream;

         ##
         # SSL Settings
         ##

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
         ssl_prefer_server_ciphers on;

         ##
         # Logging Settings
         ##

         access_log /var/log/nginx/access.log;
         error_log /var/log/nginx/error.log;

         ##
         # Gzip Settings
         ##

         gzip on;

         ##
         # Virtual Host Configs
         ##

         include /etc/nginx/conf.d/*.conf;
         include /etc/nginx/sites-enabled/*;

 }

[eric-pierce]

Thanks @translit - do you have a separate .conf file (probably in /etc/nginx/sites-enabled/ based on the conf file you posted) for your tt-rss page/site similar to the "ttrss.conf" file from https://davidbeath.com/posts/installing-tiny-tiny-rss-from-scratch/ ? I'm betting you do as your nginx.conf doesn't include a "server" section to serve up the site. If you do would you post the contents of your ttrss.conf (or similarly named file)? The path_info update needs to be included in a "location" section within the "server" config of that conf file. In using the example from davidbeath.com the modified conf file would look like

server {
  listen 80;
  server_name domainname www.domainname;

  root /var/www/ttrss;
  index index.php;

  error_log /var/log/nginx/ttrss.error.log;
  access_log /var/log/nginx/ttrss.access.log;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ \.php$ {
    include fastcgi.conf; # don't use fastcgi_params
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
  }
  location ~ /plugins\.local/.*/api/.*\.php(/|$) {
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      set $path_info $fastcgi_path_info;
      fastcgi_param PATH_INFO $path_info;
      fastcgi_pass unix:/var/run/php5-fpm.sock;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_index index.php;
      include fastcgi_params;
  }
}

[translit]

Thank you, Eric. Below is the unmodified tt-rss file from sites-enabled. I've tried adding all the three versions of the "location" block you've cited (without understanding what they do or how they differ), restarted nginx (status OK), but the clients (Reeder, NNW) still cannot connect.

# vi:syntax=nginx

server {
        listen 80;
        listen [::]:80;
        server_name ttrss.mydomain.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        include snippets/ssl-mydomain.com.conf;
        include snippets/ssl-params.conf;
        server_name ttrss.mydomain.com;

        root /usr/share/nginx/ttrss;

        index index.html index.htm index.php;

        access_log /var/log/nginx/ttrss_access.log;
        error_log /var/log/nginx/ttrss_error.log info;

        # Enable SSL verification by certbot/webroot
        location ~ /.well-known {
                allow all;
        }

        location / {
        index           index.php;
        }

        location ~ \.php$ {
        try_files $uri = 404; #Prevents autofixing of path which could be used for exploit
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
        }
}

[eric-pierce]

@translit Thanks for posting!

Background

PATH_INFO is a php server parameter that allows URLs to include content in the URL after the php file is called, and is something that the FreshRSS and Google Reader APIs rely on. PATH_INFO parameters are the bolded part of the following URL: https://ttrss.mydomain.com/plugins.local/freshapi/api/greader.php/reader/api/0/stream/contents

Today PHP servers enable this by default, but there was an exploit that versions of PHP prior to 5.3.9 had which could enable bad actors to execute code on systems using PATH_INFO more here. This has since been resolved.

Steps to Enable PATH_INFO

1. Check to see if you've disabled pathinfo in your php.ini file If you used this guide to set up your server you probably disabled PATH_INFO in your php.ini script (I'm betting this is why things aren't working for you so far). If you did, you can re-enable it by updating the line cgi.fix_pathinfo=0 to cgi.fix_pathinfo=1. If you can't find your php.ini file run php --ini on your command line and it should be at the top of the list.

2. Update your relevant .conf file (in this case I think you named it ttrss.conf) to include support for PATH_INFO. This is a selective enabling of PATH_INFO, and only tells nginx to use PATH_INFO parameters for php files in the plugins.local folder with "/api/" somewhere in the URL (like freshapi).

   
   # vi:syntax=nginx

server { listen 80; listen [::]:80; server_name ttrss.mydomain.com; return 301 https://$server_name$request_uri; }

server { listen 443 ssl; listen [::]:443 ssl;

include snippets/ssl-mydomain.com.conf;

    #include snippets/ssl-params.conf;
    server_name ttrss.mydomain.com;

    root /usr/share/nginx/ttrss;

    index index.html index.htm index.php;

    access_log /var/log/nginx/ttrss_access.log;
    error_log /var/log/nginx/ttrss_error.log info;

    # Enable SSL verification by certbot/webroot
    location ~ /.well-known {
            allow all;
    }

    location / {
            index index.php;
    }

    location ~ \.php$ {
            try_files $uri =404; #Prevents autofixing of path which could be used for exploit
            fastcgi_pass unix:/run/php/php8.2-fpm.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
    }

    location ~ /plugins\.local/.*/api/.*\.php(/|$) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            set $path_info $fastcgi_path_info;
            fastcgi_param PATH_INFO $path_info;
            fastcgi_pass unix:/run/php/php8.2-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_index index.php;
            include fastcgi_params;
    }

}

Let me know if those steps resolve the issue for you - I would still recommend looking at the official docker images as they are pretty easy to set up and keep up to date.

[translit]

Thank you, Eric, for your patience and guidance. The solution was indeed to enable PATH_INFO in the php.ini file (it was commented out).

After connecting, I had to install php-gmp to allow the clients to download articles. Now everything seems to be working.

[eric-pierce]

@translit glad to hear all is working! Thanks for opening the issue, I updated the installation instructions to cover baremetal installs and discuss potential PATH_INFO updates.

Thanks for calling out the php-gmp dependency too, I may look at other ways to implement the functionality without needing that library to keep thing simpler.

Let me know if you run into any other problems!