Assorted tweaks from Renaud Allard (MAINTAINER)

- make the web iface default to listen on localhost only - disable the builtin 'report statistics home' feature - provide a README with an example nginx vhost
2018-12-17 19:48:23 +00:00 · 2018-12-17 19:48:23 +00:00 · 378cacad1d
commit 378cacad1d
parent f6ccb4516c
4 changed files with 70 additions and 11 deletions
--- a/geo/traccar/Makefile
+++ b/geo/traccar/Makefile
@ -1,7 +1,8 @@
-# $OpenBSD: Makefile,v 1.1.1.1 2018/12/16 15:09:58 landry Exp $
+# $OpenBSD: Makefile,v 1.2 2018/12/17 19:48:23 landry Exp $

 COMMENT =	modern GPS tracking platform
 V =		4.2
+REVISION =	0
 PKGNAME =	traccar-${V}
 DISTNAME =	traccar-other-${V}
 EXTRACT_SUFX =	.zip
--- a/geo/traccar/patches/patch-conf_default_xml
+++ b/geo/traccar/patches/patch-conf_default_xml
@ -1,18 +1,17 @@
-$OpenBSD: patch-conf_default_xml,v 1.1.1.1 2018/12/16 15:09:58 landry Exp $
-
 Index: conf/default.xml
 --- conf/default.xml.orig
 +++ conf/default.xml
-@@ -12,7 +12,7 @@
+@@ -12,7 +12,8 @@
 
     <entry key='web.enable'>true</entry>
     <entry key='web.port'>8082</entry>
 -    <entry key='web.path'>./web</entry>
+    <entry key='web.address'>127.0.0.1</entry>
 +    <entry key='web.path'>${LOCALBASE}/share/traccar/web</entry>
     <entry key='web.cacheControl'>max-age=3600,public</entry>
 
     <entry key='geocoder.enable'>false</entry>
-@@ -20,7 +20,7 @@
+@@ -20,7 +21,7 @@
 
     <entry key='logger.enable'>true</entry>
     <entry key='logger.level'>info</entry>
@ -21,7 +20,7 @@ Index: conf/default.xml
 
     <entry key='filter.enable'>true</entry>
     <entry key='filter.future'>86400</entry>
-@@ -30,9 +30,10 @@
+@@ -30,17 +31,16 @@
     <entry key='processing.computedAttributes.enable'>true</entry>
     <entry key='processing.engineHours.enable'>true</entry>
 
@ -30,10 +29,10 @@ Index: conf/default.xml
 
     <entry key='notificator.types'>web,mail</entry>
 +    <entry key='templates.rootPath'>${LOCALBASE}/share/traccar/templates</entry>
-
-     <entry key='server.statistics'>https://www.traccar.org/analytics/</entry>                                      
-
-@@ -40,7 +40,7 @@
+ 
+-    <entry key='server.statistics'>https://www.traccar.org/analytics/</entry>
+-
+     <entry key='commands.queueing'>true</entry>
 
     <entry key='database.ignoreUnknown'>true</entry>
     <entry key='database.generateQueries'>true</entry>
--- a/geo/traccar/pkg/PLIST
+++ b/geo/traccar/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.1.1.1 2018/12/16 15:09:58 landry Exp $
+@comment $OpenBSD: PLIST,v 1.2 2018/12/17 19:48:24 landry Exp $
@newgroup _traccar:824
@newuser _traccar:824:_traccar:daemon:Traccar user:/var/empty:/sbin/nologin
@rcscript ${RCDIR}/traccar
@ -12,6 +12,7 @@
@mode
@owner
@group
+share/doc/pkg-readmes/${PKGSTEM}
 share/traccar/
 share/traccar/conf/
 share/traccar/conf/default.xml
--- a/geo/traccar/pkg/README
+++ b/geo/traccar/pkg/README
@ -0,0 +1,58 @@
+
+-----------------------------------------------------------------------
+| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
+
+Web Interface
+=============
+
+The default configuration makes traccar UI listen on localhost only.
+The recommended way to access the service from the outside world is to use a
+reverse proxy with SSL enabled.
+
+The following is an example using nginx as an SSL reverse proxy:
+
+server {
+	add_header Cache-Control no-cache;
+	add_header x-frame-options SAMEORIGIN;
+	add_header X-Content-Type-Options nosniff;
+	add_header X-XSS-Protection "1; mode=block";
+
+	listen	443;
+	listen	[::]:443;
+
+	expires 31d;
+	ssl On;
+	ssl_certificate fullcert_nokey.pem;
+	ssl_certificate_key privkey.pem;
+
+	location / {
+		proxy_pass http://127.0.0.1:8082/;
+		proxy_set_header Host $host;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_buffering     off;
+		proxy_connect_timeout 1d;
+		proxy_send_timeout    1d;
+		proxy_read_timeout    1d;
+		proxy_redirect off;
+		proxy_set_header Proxy "";
+		proxy_cookie_path /api "/api; secure; HttpOnly";
+	}
+}
+
+Open Network Ports
+==================
+
+By default, traccar will listen on many network ports. Each tracker protocol
+requires its own open port. So you should really block those ports using pf and
+only allow the protocols you actually use. 
+
+You can also restrict the open ports by altering the default.xml file and remove
+all the protocols you don't use. However, the default.xml file will change on
+almost every revision, so if you do that you should do it on a copy of
+default.xml and reference that copy in traccar.xml configuration file. Also, you
+should ensure that at every upgrade, you track the changes in default.xml as
+the file contains important informations about SQL queries. This is definitely
+more complex than firewalling the unused ports.