On Mon, Dec 17, 2018 at 09:09:12AM +0100, Renaud Allard wrote:
>
>
> On 12/16/18 6:08 PM, Landry Breuil wrote:
> > On Sun, Dec 16, 2018 at 04:15:25PM +0100, Renaud Allard wrote:
> > > Yes, I will make a README telling how to make the UI listen on 127.0.0.1
> > > only and how to proxyfy it. Restricting the listening ports really has to
> > > be
> > > made with a firewall at the moment, but that could change in a future
> > > revision.
> >
> > A friend of me working on traccar pointed me to
> > https://github.com/traccar/traccar/issues/4066 - i think we should patch
> > out the default.xml file so that it doesnt phone home by default.
> >
>
> Here is the diff
> Index: geo/traccar//patches/patch-conf_default_xml
> ===================================================================
> RCS file: /cvs/ports/geo/traccar/patches/patch-conf_default_xml,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 patch-conf_default_xml
> --- geo/traccar//patches/patch-conf_default_xml 16 Dec 2018 15:09:58
> -0000 1.1.1.1
> +++ geo/traccar//patches/patch-conf_default_xml 17 Dec 2018 08:06:40
> -0000
> @@ -1,8 +1,5 @@
> -$OpenBSD: patch-conf_default_xml,v 1.1.1.1 2018/12/16 15:09:58 landry Exp $
> -
> -Index: conf/default.xml
> ---- conf/default.xml.orig
> -+++ conf/default.xml
> +--- conf/default.xml.orig Mon Dec 17 08:12:45 2018
> ++++ conf/default.xml Mon Dec 17 08:13:20 2018
> @@ -12,7 +12,7 @@
>
> <entry key='web.enable'>true</entry>
> @@ -21,7 +18,7 @@ Index: conf/default.xml
>
> <entry key='filter.enable'>true</entry>
> <entry key='filter.future'>86400</entry>
> -@@ -30,9 +30,10 @@
> +@@ -30,17 +30,16 @@
> <entry key='processing.computedAttributes.enable'>true</entry>
> <entry key='processing.engineHours.enable'>true</entry>
>
> @@ -30,10 +27,10 @@ Index: conf/default.xml
>
> <entry key='notificator.types'>web,mail</entry>
> + <entry
> key='templates.rootPath'>${LOCALBASE}/share/traccar/templates</entry>
> -
> - <entry
> key='server.statistics'>https://www.traccar.org/analytics/</entry>
>
> -
> -@@ -40,7 +40,7 @@
> +
> +- <entry
> key='server.statistics'>https://www.traccar.org/analytics/</entry>
> +-
Right, looking at
https://github.com/traccar/traccar/blob/9c9370f72c51d7466d3b25a59264ee98f4319b3a/src/org/traccar/database/StatisticsManager.java#L72
shows that if server.statistics is not defined, it shouldnt try to post.
> +Listening locally can be achieved by putting the following stanza in
> traccar.xml
> +
> + <entry key='web.address'>127.0.0.1</entry>
Why not doing it by default then ? :)
> +Then you will need to configure a reverse proxy to make the UI available.
> +The following is an example using nginx as an SSL reverse proxy:
> +
> +server {
> + add_header Cache-Control no-cache;
> + add_header x-frame-options SAMEORIGIN;
> + add_header X-Content-Type-Options nosniff;
> + add_header X-XSS-Protection "1; mode=block";
> +
> + listen 443;
> + listen [::]:443;
> +
> + expires 31d;
> + ssl On;
> + ssl_certificate fullcert_nokey.pem;
> + ssl_certificate_key privkey.pem;
> + server_name traccar.example.com;
> + root /var/empty;
> +
> + location / {
> + proxy_pass http://127.0.0.1:8082/;
> + proxy_set_header Host $host;
> + proxy_http_version 1.1;
> + proxy_set_header Upgrade $http_upgrade;
> + proxy_set_header Connection "upgrade";
> + proxy_buffering off;
> + proxy_connect_timeout 43200000;
> + proxy_send_timeout 43200000;
> + proxy_read_timeout 43200000;
> + proxy_redirect off;
> + proxy_set_header Proxy "";
> + proxy_cookie_path /api "/api; secure; HttpOnly";
> + }
Nice, where is this vhost coming from ? I dont think you need to specify
root. I have a slightly different one but i'm not sure of all bits:
location / {
proxy_pass http://localhost:8082;
}
location /api/socket {
proxy_pass http://localhost:8082/api/socket;
proxy_buffers 8 32k;
proxy_buffer_size 64k;
proxy_read_timeout 86400;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
i'm not sure of the api/socket thing for websockets nor the timeouts,
but to me only this path should have the upgrade/connection thing.
Why the proxy_cookie_path ?
Landry
