FreeBSD TT-RSS
Posted on Wed 29 October 2014 in english
Since Google shut down its Reader you were desperately looking for an alternative? Or you would simply like to have a
central place to follow your favourite news sites?
For all of you: tt-rss to the resque!
"What's tt-rss?" you ask?
tt-rss is an open source news feed reader and aggregator you can run on your own server. There are an Android client and
several appealing themes available (personally I like the Feedly theme most).
Jail setup
In order to run PostgreSQL correctly, you have to change your jail configuration (enter in jail host and substitute MY_JAIL_NAME with your jail name) - thanks to Dan Langille:
# echo 'export jail_**MY_JAIL_NAME**_parameters="allow.raw_sockets=1 allow.sysvipc=1"' >> /usr/local/etc/ezjail/**MY_JAIL_NAME**
If your jail is running at this moment you have to restart it for the parameters to get active.
Installation
Install the packages and enable the services:
# pkg install postgresql94-server nginx php5-iconv php5-pgsql tt-rss php5
# echo 'postgresql_enable="YES"' >> /etc/rc.conf
# echo 'php_fpm_enable="YES"' >> /etc/rc.conf
# echo 'nginx_enable="YES"' >> /etc/rc.conf
EDIT: I found out that the php5-pgsql package has a hard depedency on postgresql93-server/client, so if you want to use version 9.4 you have to compile it yourself from ports.
PostgreSQL
Initialize a new database:
# /usr/local/etc/rc.d/postgresql initdb
Now to configure the hash authentication on passwords change the file /usr/local/pgsql/data/pg_hba.conf and add the following line at the bottom:
host all all 10.0.1.12/32 md5
NOTE: I'll use my PostgreSQL server on a dedicated jail for tt-rss. You can find other tutorials out there where another subnets gets used (/24 or something like that), but these are for dedicated PostgreSQL servers.
To alter the default pgsql admin password and create a postgresql user for tt-rss enter:
# service postgresql start
# su - pgsql
# psql postgres
postgres=# ALTER USER pgsql PASSWORD 'YOUR_PASSWORD';
ALTER ROLE
postgres=# CREATE USER "www-data" WITH PASSWORD 'yourpasshere';
CREATE ROLE
postgres=# CREATE DATABASE ttrss WITH OWNER "www-data";
CREATE DATABASE
postgres=# \q
$ exit
You have to change the PHP Fast CGI settings /usr/local/etc/php-fpm.conf:
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0666
Optional
If you want SSL encrypted traffic (YES) you have to create SSL certs:
# mkdir /usr/local/etc/ssl && cd /usr/local/etc/ssl
# openssl req -new -x509 -days 365 -nodes -out rss.pem -keyout rss.key -newkey rsa:2048
The nginx config file (/usr/local/etc/nginx/nginx.conf) should look similar to (btw. this is totally free of any POODLEs):
user www;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 443 ssl;
server_name rss;
root /usr/local/www/tt-rss;
access_log /var/log/ttrss-access.log;
error_log /var/log/ttrss-error.log info;
ssl_certificate /usr/local/etc/ssl/rss.pem;
ssl_certificate_key /usr/local/etc/ssl/rss.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSKULL:!MD5:!DSS;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
location / {
index index.php;
}
error_page 404 /404.html;
# pass the PHP scripts to FastCGI server listening on /var/run/php-fpm.sock
#
location ~ \.php$ {
try_files $uri = 404; #Prevents autofixing of path which could be used for exploit
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /usr/local/etc/nginx/fastcgi_params;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}
(Re)start the services (if you haven't already):
# service php-fpm restart && service nginx restart
Before you start the installer you have to delete the tt-rss config file that came with the package:
# rm /usr/local/www/tt-rss/config.php
Now you should be able to reach the installer via https://IP_OF_YOUR_SERVER/install/.
The values are as following:
Database type = PostgreSQL
Username = www-data
Password = yourpasshere
Database name = ttrss
Change your password after first login with 'admin':'password' (Preferences --> Users --> Click on admin user!).
Have fun with your new info jail!