Updated SSO logic for webmails. Fixed small bug rate limiting.

3 years ago · 44d2448412
parent f9eee0cbaf
commit 44d2448412
5 changed files with 30 additions and 19 deletions
--- a/core/admin/mailu/internal/views/auth.py
+++ b/core/admin/mailu/internal/views/auth.py
@ -41,7 +41,7 @@ def nginx_authentication():
    elif is_valid_user:
        utils.limiter.rate_limit_user(username, client_ip)
    else:
-        rate_limit_ip(client_ip)
+        utils.limiter.rate_limit_ip(client_ip)
    return response
@internal.route("/auth/admin")
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@ -11,13 +11,13 @@ def login():
    form = forms.LoginForm()
    endpoint = flask.request.args.get('next', 'ui.index')
-    if str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint != 'ui.webmail':
+    if str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint != 'ui.webmail':
        form.target.choices = [('Admin', 'Admin'), ('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper != 'NONE' and endpoint == 'ui.webmail':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE' and endpoint == 'ui.webmail':
        form.target.choices = [('Webmail', 'Webmail'), ('Admin', 'Admin')]
-    elif str(app.config['WEBMAIL']).upper != 'NONE' and str(app.config['ADMIN']).upper == 'NONE':
+    elif str(app.config['WEBMAIL']).upper() != 'NONE' and str(app.config['ADMIN']).upper() == 'FALSE':
        form.target.choices = [('Webmail', 'Webmail')]
-    elif str(app.config['WEBMAIL']).upper == 'NONE' and str(app.config['ADMIN']).upper != 'NONE':
+    elif str(app.config['WEBMAIL']).upper() == 'NONE' and str(app.config['ADMIN']).upper() != 'FALSE':
        form.target.choices = [('Admin', 'Admin')]
    if form.validate_on_submit():
@ -37,3 +37,9 @@ def login():
            flask.current_app.logger.warn(f'Login failed for {str(form.email.data)} from {client_ip}.')
    return flask.render_template('login.html', form=form, endpoint=endpoint)
@sso.route('/logout', methods=['GET'])
@access.authenticated
 def logout():
    flask_login.logout_user()
    flask.session.destroy()
    return flask.redirect(flask.url_for('.login'))
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -146,6 +146,12 @@ http {
        rewrite /sso/static/(.*) /static/$1 permanent;
      }
      location ^~ {{ WEB_WEBMAIL }}/sso/ui/logout {
        include /etc/nginx/proxy.conf;
        rewrite ^{{ WEB_WEBMAIL }}/sso/ui/logout$ /sso/logout break;
        proxy_pass http://$admin;
      }
      location ^~ /ui/language {
        include /etc/nginx/proxy.conf;
        proxy_set_header X-Forwarded-Prefix {{ WEB_ADMIN }};
@ -184,10 +190,11 @@ http {
        {% endif %}
        include /etc/nginx/proxy.conf;
        client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};       
        proxy_pass http://$webmail;
      {% if ADMIN == 'true' %}
        auth_request /internal/auth/user;
        auth_request_set $user $upstream_http_x_user;
        auth_request_set $token $upstream_http_x_user_token;       
        error_page 403 @webmail_login;
        proxy_pass http://$webmail;
      }
      location {{ WEB_WEBMAIL }}/sso.php {
@ -202,16 +209,16 @@ http {
        auth_request_set $token $upstream_http_x_user_token;
        proxy_set_header X-Remote-User $user;
        proxy_set_header X-Remote-User-Token $token;
        proxy_pass http://$webmail;
        error_page 403 @webmail_login;
        proxy_pass http://$webmail;
      }
      location @webmail_login {       
-        return 302 {{ WEB_ADMIN }}/sso/login?next=ui.webmail;
+        return 302 /sso/login?next=ui.webmail;
      }
      {% else %}
      }
-      {% endif %}{% endif %}
+      {% endif %}
      {% if ADMIN == 'true' %}
      location {{ WEB_ADMIN }} {
        return 301 {{ WEB_ADMIN }}/ui;
--- a/webmails/rainloop/defaults/application.ini
+++ b/webmails/rainloop/defaults/application.ini
@ -8,10 +8,8 @@ allow_admin_panel = Off
 [labs]
 allow_gravatar = Off
 {% if ADMIN == "true" %}
 custom_login_link='sso.php'
-custom_logout_link='{{ WEB_ADMIN }}/ui/logout'
+custom_logout_link='sso/ui/logout'
 {% endif %}
 [contacts]
 enable = On
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@ -37,11 +37,11 @@ $config['managesieve_usetls'] = false;
 // Customization settings
 if (filter_var(getenv('ADMIN'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)) {
 	array_push($config['plugins'], 'mailu');
 	$config['support_url'] = getenv('WEB_ADMIN') ? '../..' . getenv('WEB_ADMIN') : '';	
 	$config['sso_logout_url'] = getenv('WEB_ADMIN').'/ui/logout';
 }
 $config['product_name'] = 'Mailu Webmail';
 array_push($config['plugins'], 'mailu');
 $config['sso_logout_url'] = 'sso/ui/logout';
 // We access the IMAP and SMTP servers locally with internal names, SSL
 // will obviously fail but this sounds better than allowing insecure login