{{tag>reverseproxy apache webserver flask}}

====== Snappass password sharing behind Apache2 reverse proxy ======
Securely share password via web URLs.

===== Clone repository =====

  $ pip3 install snappass

===== Install redis caching server =====

  $ apt install redis

===== Disable redis dumping of DB to file =====

We don't want to save any keys to the disk, so in ''/etc/redis/redis.conf'' comment out these lines:

<code>
...
################################ SNAPSHOTTING  ################################
#
# Save the DB on disk:
#
#   save <seconds> <changes>
#
#   Will save the DB if both the given number of seconds and the given
#   number of write operations against the DB occurred.
#
#   In the example below the behaviour will be to save:
#   after 900 sec (15 min) if at least 1 key changed
#   after 300 sec (5 min) if at least 10 keys changed
#   after 60 sec if at least 10000 keys changed
#
#   Note: you can disable saving completely by commenting out all "save" lines.
#
#   It is also possible to remove all the previously configured save
#   points by adding a save directive with a single empty string argument
#   like in the following example:
#
#   save ""


#save 900 1    <- commented out
#save 300 10   <- commented out
#save 60 10000 <- commented out

# By default Redis will stop accepting writes if RDB snapshots are enabled
...
</code>

===== First run =====


  $ snappass
  * Running on http://0.0.0.0:5000/
  * Restarting with reloader
  ...
  
===== Proxy snappass via apache2 =====

vhost conf file:

<code apache>
<VirtualHost *:80>
	
	ServerName example.com
	ServerAdmin webmaster@localhost

        ProxyPreserveHost On
        ProxyPass /pwd http://localhost:5000
        ProxyPassReverse /pwd http://localhost:5000

        Alias /static /usr/local/lib/python3.7/dist-packages/snappass/static
        <Directory /usr/local/lib/python3.7/dist-packages/snappass/static>
            Require all granted
        </Directory>
	
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	
</VirtualHost>
</code>

Above configuration will serve the app at URL ''http://example.com/pwd''. We need to alias the static directory so the apache knows where the css, javascript and rest of files are.

===== Enable the required apache modules and restart apache2 =====

  a2enmod proxy proxy_http
  systemctl restart apache2

===== Run the snappass flask app with url prefix =====

  NO_SSL=True URL_PREFIX="/pwd" snappass

NO_SSL is necessary if you aren't going to use SSL (Don't do this in prod).
URL_PREFIX is there because we are serving the app at path below root webserver path.

===== Disable listening on all interfaces =====

Edit ''/usr/local/lib/python3.7/dist-packages/snappass/main.py''.

Change ''app.run(host='0.0.0.0')'' as below:
<code python>
@check_redis_alive
def main():
    app.run(host='127.0.0.1')


if __name__ == '__main__':
    main()
</code>

===== Fix "Share Secret" link =====

Open ''/usr/local/lib/python3.7/dist-packages/snappass/templates/base.html'' and change line
  <a class="navbar-brand" href="/pwd">Share Secret</a>

''href'' atribute needs to be set to correct path as defined in webserver configuration.

===== Set up systemd service =====

''/etc/systemd/system/snappass.service''
<code systemd>
[Unit]
Description=Snappass secret password sharing
Requires=redis.service
After=redis.service
After=network.target

[Service]
Environment=URL_PREFIX="/pwd"
ExecStart=/usr/local/bin/snappass
WorkingDirectory=/usr/local/lib/python3.7/dist-packages/snappass
Restart=on-failure

[Install]
WantedBy=default.target

</code>

===== Enable and start the service =====

  systemctl daemon-reload
  systemctl enable --now snappass.service


====== Tested on ======
  * Debian 10 Buster

====== See also ======
[[Deploying Django website]]

====== References ======
  * https://github.com/pinterest/snappass
  * https://wiki.archlinux.org/index.php/Systemd#Writing_unit_files