Updated SSO logic for webmails. Fixed small bug rate limiting.

3 years ago · 44d2448412
parent f9eee0cbaf
commit 44d2448412
5 changed files with 30 additions and 19 deletions
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -41,7 +41,7 @@ def nginx_authentication():
    elif is_valid_user:
        utils.limiter.rate_limit_user(username, client_ip)
    else:
-        rate_limit_ip(client_ip)
+        utils.limiter.rate_limit_ip(client_ip)
    return response

@internal.route("/auth/admin")
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@ -11,13 +11,13 @@ def login():
    form = forms.LoginForm()
    endpoint = flask.request.args.get('next', 'ui.index')

-    if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail':
+    if str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint != 'ui.webmail':
        form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint == 'ui.webmail':
        form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() == 'FALSE':
        form.target.choices = [('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE':
+    elif str(app.config['WEBMAIL']).upper() == 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE':
        form.target.choices = [('Admin', 'Admin')]

    if form.validate_on_submit():
@ -36,4 +36,10 @@ def login():
            client_ip = flask.request.headers["X-Real-IP"] if 'X-Real-IP' in flask.request.headers else flask.request.remote_addr
            flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
    return flask.render_template('login.html', form=form, endpoint=endpoint)
-    
+    
+@sso.route('/logout', methods=['GET'])
+@access.authenticated
+def logout():
+    flask_login.logout_user()
+    flask.session.destroy()
+    return flask.redirect(flask.url_for('.login'))
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -146,6 +146,12 @@ http {
        rewrite /sso/static/(.*) /static/$1 permanent;
      }

+      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
+        include /etc/nginx/proxy.conf;
+        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
+        proxy_pass http://$admin;
+      }
+
      location ^~ /ui/language {
        include /etc/nginx/proxy.conf;
        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
@ -183,11 +189,12 @@ http {
        rewrite ^{{ WEB_WEBMAIL }}/(.*) /$1 break;
        {% endif %}
        include /etc/nginx/proxy.conf;
-        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
-        proxy_pass http://$webmail;
-      {% if ADMIN == 'true' %}
+        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};       
        auth_request /internal/auth/user;
+        auth_request_set $user $upstream_http_x_user;
+        auth_request_set $token $upstream_http_x_user_token;       
        error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
      }

      location {{ WEB_WEBMAIL }}/sso.php {
@ -202,16 +209,16 @@ http {
        auth_request_set $token $upstream_http_x_user_token;
        proxy_set_header X-Remote-User $user;
        proxy_set_header X-Remote-User-Token $token;
-        proxy_pass http://$webmail;
        error_page 403 @webmail_login;
+        proxy_pass http://$webmail;
      }

-      location @webmail_login {
-        return 302 {{ WEB_ADMIN }}/sso/login?next=ui.webmail;
+      location @webmail_login {       
+        return 302 /sso/login?next=ui.webmail;
      }
      {% else %}
      }
-      {% endif %}{% endif %}
+      {% endif %}
      {% if ADMIN == 'true' %}
      location {{ WEB_ADMIN }} {
        return 301 {{ WEB_ADMIN }}/ui;
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@ -8,10 +8,8 @@ allow_admin_panel = Off

 [labs]
 allow_gravatar = Off
-{% if ADMIN == "true" %}
 custom_login_link='sso.php'
-custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
-{% endif %}
+custom_logout_link='sso/ui/logout'

 [contacts]
 enable = On
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@ -37,11 +37,11 @@ $config['managesieve_usetls'] = false;

 // Customization settings
 if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
-	array_push($config['plugins'], 'mailu');
-	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';
-	$config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout';
+	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
 }
 $config['product_name'] = 'Mailu Webmail';
+array_push($config['plugins'], 'mailu');
+$config['sso_logout_url'] = 'sso/ui/logout';

 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login