On 12/16/18 6:08 PM, Landry Breuil wrote:
On Sun, Dec 16, 2018 at 04:15:25PM +0100, Renaud Allard wrote:
Yes, I will make a README telling how to make the UI listen on 127.0.0.1
only and how to proxyfy it. Restricting the listening ports really has to be
made with a firewall at the moment, but that could change in a future
revision.
A friend of me working on traccar pointed me to
https://github.com/traccar/traccar/issues/4066 - i think we should patch
out the default.xml file so that it doesnt phone home by default.
Here is the diff
Index: geo/traccar//patches/patch-conf_default_xml
===================================================================
RCS file: /cvs/ports/geo/traccar/patches/patch-conf_default_xml,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-conf_default_xml
--- geo/traccar//patches/patch-conf_default_xml 16 Dec 2018 15:09:58 -0000 1.1.1.1
+++ geo/traccar//patches/patch-conf_default_xml 17 Dec 2018 08:06:40 -0000
@@ -1,8 +1,5 @@
-$OpenBSD: patch-conf_default_xml,v 1.1.1.1 2018/12/16 15:09:58 landry Exp $
-
-Index: conf/default.xml
---- conf/default.xml.orig
-+++ conf/default.xml
+--- conf/default.xml.orig Mon Dec 17 08:12:45 2018
++++ conf/default.xml Mon Dec 17 08:13:20 2018
@@ -12,7 +12,7 @@
<entry key='web.enable'>true</entry>
@@ -21,7 +18,7 @@ Index: conf/default.xml
<entry key='filter.enable'>true</entry>
<entry key='filter.future'>86400</entry>
-@@ -30,9 +30,10 @@
+@@ -30,17 +30,16 @@
<entry key='processing.computedAttributes.enable'>true</entry>
<entry key='processing.engineHours.enable'>true</entry>
@@ -30,10 +27,10 @@ Index: conf/default.xml
<entry key='notificator.types'>web,mail</entry>
+ <entry key='templates.rootPath'>${LOCALBASE}/share/traccar/templates</entry>
-
- <entry key='server.statistics'>https://www.traccar.org/analytics/</entry>
-
-@@ -40,7 +40,7 @@
+
+- <entry key='server.statistics'>https://www.traccar.org/analytics/</entry>
+-
+ <entry key='commands.queueing'>true</entry>
<entry key='database.ignoreUnknown'>true</entry>
<entry key='database.generateQueries'>true</entry>
Index: geo/traccar//pkg/PLIST
===================================================================
RCS file: /cvs/ports/geo/traccar/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- geo/traccar//pkg/PLIST 16 Dec 2018 15:09:58 -0000 1.1.1.1
+++ geo/traccar//pkg/PLIST 17 Dec 2018 08:06:40 -0000
@@ -12,6 +12,7 @@
@mode
@owner
@group
+share/doc/pkg-readmes/${PKGSTEM}
share/traccar/
share/traccar/conf/
share/traccar/conf/default.xml
Index: geo/traccar//pkg/README
===================================================================
RCS file: geo/traccar//pkg/README
diff -N geo/traccar//pkg/README
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ geo/traccar//pkg/README 17 Dec 2018 08:06:40 -0000
@@ -0,0 +1,68 @@
+
++-----------------------------------------------------------------------
+| Running traccar on OpenBSD
++-----------------------------------------------------------------------
+
+Web Interface:
+==============
+
+The default configuration will make traccar UI listen on all interfaces.
+This is not the recommended way of running traccar UI, you should set it up to
+listen only on 127.0.0.1 and use a reverse proxy to make it available from
+elsewhere.
+
+Listening locally can be achieved by putting the following stanza in traccar.xml
+
+ <entry key='web.address'>127.0.0.1</entry>
+
+
+Then you will need to configure a reverse proxy to make the UI available.
+The following is an example using nginx as an SSL reverse proxy:
+
+server {
+ add_header Cache-Control no-cache;
+ add_header x-frame-options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ listen 443;
+ listen [::]:443;
+
+ expires 31d;
+ ssl On;
+ ssl_certificate fullcert_nokey.pem;
+ ssl_certificate_key privkey.pem;
+ server_name traccar.example.com;
+ root /var/empty;
+
+ location / {
+ proxy_pass http://127.0.0.1:8082/;
+ proxy_set_header Host $host;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_buffering off;
+ proxy_connect_timeout 43200000;
+ proxy_send_timeout 43200000;
+ proxy_read_timeout 43200000;
+ proxy_redirect off;
+ proxy_set_header Proxy "";
+ proxy_cookie_path /api "/api; secure; HttpOnly";
+ }
+}
+
+Open Network Ports:
+===================
+
+By default, traccar will listen on many network ports. Each tracker protocol
+requires its own open port. So you should really block those ports using pf and
+only allow the protocols you actually use.
+
+You can also restrict the open ports by altering the default.xml file and remove
+all the protocols you don't use. However, the default.xml file will change on
+almost every revision, so if you do that you should do it on a copy of
+default.xml and reference that copy in traccar.xml configuration file. Also, you
+should ensure that at every upgrade, you track the changes in default.xml as
+the file contains important informations about SQL queries. This is definitely
+more complex than firewalling the unused ports, so this is not the recommended
+way of restricting the ports.
