How to add authentication?

[GildedHonour]

How to add authentication? Does it support it?

[rfk]

Sorry, I don't understand what you mean. This server expects all requests to be authenticated with a token obtains from https://accounts.firefox.com, or if configured, from a self-hosted version of the FxA server stack.

[Mic92]

I think what @GildedHonour and I want to know is if there is a way to make the syncserver not public so that every user could point can store there data on self-hosted instance. I don't care so much about legitimate users but spammers that might abuse this in one way or the other.

[rfk]

There's an allow_new_users config option that can be used for this:

https://github.com/mozilla-services/syncserver/blob/master/syncserver.ini#L34

The idea is that you set it to true, get the accounts you want to use up and running, and then flip it to false to prevent other users from using the server.

[Mic92]

Thanks. That make sense.

[johnwmail]

Hi, when I set allow_new_users to false, I can not sync again (even old user), any idea?

[rfk]

@johnwmail does about:sync-log show any error logs that might provide some clues?

[johnwmail]

@rfk Yes, attached error log and syncserver.ini error-sync-1542685958005.txt syncserver.ini.txt Please let me know, if you need any more information, Thanks

[rfk]

OK, looks like the server is throwing an "Internal Server Error", do you get any output in server-side logs?

[johnwmail]

No, the nginx error log is nothing/empty, and the access log is very normal, I attached the access log. If I comment the " #allow_new_users = false", everything work just fine. Thanks. nginx.log

[rfk]

Are you running under gunicorn with nginx as a proxy? If so, there may be output from the gunicorn process that's separate to the nginx logs (but the location of that output will vary greatly depending on how you're running gunicorn)

[johnwmail]

Yes, I am running gunicorn with nginx as a proxy

I add this to /etc/rc.local /opt/syncserver/local/bin/python2 /opt/syncserver/local/bin/gunicorn --forwarded-allow-ips 10.10.10.150 --paste /opt/syncserver/syncserver.ini

10.10.10.150 is nginx reverse proxy 10.10.10.154 is gunicorn and sync.mydomain.net is point to 10.10.10.150

and the related nginx config like this

location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_read_timeout 120; proxy_connect_timeout 10; proxy_pass http://10.10.10.154:5000/; }

[rfk]

I add this to /etc/rc.local

Does this send its output somewhere standard? I'm not very familiar with running things via rc.local. You could try gunicorn in the foreground in a terminal rather than via rc.local in order to see any output it produces.

[johnwmail]

Ok, I attached the log the system running gunicorn is debian/lxc and python version is Python 2.7.15+ Thanks.

[johnwmail]

sorry, forget to attach, gnuicorn.log

[johnwmail]

I noticed the log, have some error is "encode" and "utf8".... but do not know what it mean :(

[rfk]

Aha, this I recognize:

AttributeError("'list' object has no attribute 'encode'",)

It's treating the config item "secret" from as a list rather than a string. I suspect this is caused by the leading space on "allow_new_users = false", which in your config file appears like this:

# Set this to "false" to disable new-user signups on the server.
# Only requests by existing accounts will be honoured.
 allow_new_users = false

Please try deleting the space character before "allow_new_users" and see if that helps.

[johnwmail]

Yes, it work after delete the "space character". And thank you :) :+1:

[rfk]

Glad to hear it :-)