Posted on Wed 29 October 2014 in english

Since Google shut down its Reader you were desperately looking for an alternative? Or you would simply like to have a central place to follow your favourite news sites?
For all of you: tt-rss to the resque!

"What's tt-rss?" you ask?
tt-rss is an open source news feed reader and aggregator you can run on your own server. There are an Android client and several appealing themes available (personally I like the Feedly theme most).

Jail setup

In order to run PostgreSQL correctly, you have to change your jail configuration (enter in jail host and substitute MY_JAIL_NAME with your jail name) - thanks to Dan Langille:

# echo 'export jail_**MY_JAIL_NAME**_parameters="allow.raw_sockets=1 allow.sysvipc=1"' >> /usr/local/etc/ezjail/**MY_JAIL_NAME**

If your jail is running at this moment you have to restart it for the parameters to get active.


Install the packages and enable the services:

# pkg install postgresql94-server nginx php5-iconv php5-pgsql tt-rss php5
# echo 'postgresql_enable="YES"' >> /etc/rc.conf
# echo 'php_fpm_enable="YES"' >> /etc/rc.conf
# echo 'nginx_enable="YES"' >> /etc/rc.conf

EDIT: I found out that the php5-pgsql package has a hard depedency on postgresql93-server/client, so if you want to use version 9.4 you have to compile it yourself from ports.


Initialize a new database:

# /usr/local/etc/rc.d/postgresql initdb

Now to configure the hash authentication on passwords change the file /usr/local/pgsql/data/pg_hba.conf and add the following line at the bottom:

host all all md5

NOTE: I'll use my PostgreSQL server on a dedicated jail for tt-rss. You can find other tutorials out there where another subnets gets used (/24 or something like that), but these are for dedicated PostgreSQL servers.

To alter the default pgsql admin password and create a postgresql user for tt-rss enter:

# service postgresql start
# su - pgsql
# psql postgres
postgres=# CREATE USER "www-data" WITH PASSWORD 'yourpasshere';
postgres=# CREATE DATABASE ttrss WITH OWNER "www-data";
postgres=# \q
$ exit

You have to change the PHP Fast CGI settings /usr/local/etc/php-fpm.conf:

listen = /var/run/php-fpm.sock
listen.owner = www = www
listen.mode = 0666


If you want SSL encrypted traffic (YES) you have to create SSL certs:

# mkdir /usr/local/etc/ssl && cd /usr/local/etc/ssl
# openssl req -new -x509 -days 365 -nodes -out rss.pem -keyout rss.key -newkey rsa:2048

The nginx config file (/usr/local/etc/nginx/nginx.conf) should look similar to (btw. this is totally free of any POODLEs):

user  www;
worker_processes  1;

events {
    worker_connections  1024;

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;

    server {
        listen      443 ssl; 
        server_name  rss;

        root   /usr/local/www/tt-rss;
        access_log /var/log/ttrss-access.log;
        error_log /var/log/ttrss-error.log info;

        ssl_certificate      /usr/local/etc/ssl/rss.pem;
        ssl_certificate_key  /usr/local/etc/ssl/rss.key; 
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;

        location / {
            index  index.php;

        error_page  404              /404.html;

        # pass the PHP scripts to FastCGI server listening on /var/run/php-fpm.sock
        location ~ \.php$ {
            try_files $uri = 404; #Prevents autofixing of path which could be used for exploit
            fastcgi_pass   unix:/var/run/php-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include         /usr/local/etc/nginx/fastcgi_params;

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;

(Re)start the services (if you haven't already):

# service php-fpm restart && service nginx restart

Before you start the installer you have to delete the tt-rss config file that came with the package:

# rm /usr/local/www/tt-rss/config.php

Now you should be able to reach the installer via https://IP_OF_YOUR_SERVER/install/.

The values are as following:

Database type   = PostgreSQL
Username = www-data
Password = yourpasshere
Database name = ttrss

Change your password after first login with 'admin':'password' (Preferences --> Users --> Click on admin user!).

Have fun with your new info jail!