Table of Contents
Snappass password sharing behind Apache2 reverse proxy
Securely share password via web URLs.
Clone repository
$ pip3 install snappass
Install redis caching server
$ apt install redis
Disable redis dumping of DB to file
We don't want to save any keys to the disk, so in /etc/redis/redis.conf comment out these lines:
... ################################ SNAPSHOTTING ################################ # # Save the DB on disk: # # save <seconds> <changes> # # Will save the DB if both the given number of seconds and the given # number of write operations against the DB occurred. # # In the example below the behaviour will be to save: # after 900 sec (15 min) if at least 1 key changed # after 300 sec (5 min) if at least 10 keys changed # after 60 sec if at least 10000 keys changed # # Note: you can disable saving completely by commenting out all "save" lines. # # It is also possible to remove all the previously configured save # points by adding a save directive with a single empty string argument # like in the following example: # # save "" #save 900 1 <- commented out #save 300 10 <- commented out #save 60 10000 <- commented out # By default Redis will stop accepting writes if RDB snapshots are enabled ...
First run
$ snappass * Running on http://0.0.0.0:5000/ * Restarting with reloader ...
Proxy snappass via apache2
vhost conf file:
<VirtualHost *:80> ServerName example.com ServerAdmin webmaster@localhost ProxyPreserveHost On ProxyPass /pwd http://localhost:5000 ProxyPassReverse /pwd http://localhost:5000 Alias /static /usr/local/lib/python3.7/dist-packages/snappass/static <Directory /usr/local/lib/python3.7/dist-packages/snappass/static> Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Above configuration will serve the app at URL http://example.com/pwd. We need to alias the static directory so the apache knows where the css, javascript and rest of files are.
Enable the required apache modules and restart apache2
a2enmod proxy proxy_http systemctl restart apache2
Run the snappass flask app with url prefix
NO_SSL=True URL_PREFIX="/pwd" snappass
NO_SSL is necessary if you aren't going to use SSL (Don't do this in prod). URL_PREFIX is there because we are serving the app at path below root webserver path.
Disable listening on all interfaces
Edit /usr/local/lib/python3.7/dist-packages/snappass/main.py.
Change app.run(host='0.0.0.0') as below:
@check_redis_alive def main(): app.run(host='127.0.0.1') if __name__ == '__main__': main()
Fix "Share Secret" link
Open /usr/local/lib/python3.7/dist-packages/snappass/templates/base.html and change line
<a class="navbar-brand" href="/pwd">Share Secret</a>
href atribute needs to be set to correct path as defined in webserver configuration.
Set up systemd service
/etc/systemd/system/snappass.service
[Unit] Description=Snappass secret password sharing Requires=redis.service After=redis.service After=network.target [Service] Environment=URL_PREFIX="/pwd" ExecStart=/usr/local/bin/snappass WorkingDirectory=/usr/local/lib/python3.7/dist-packages/snappass Restart=on-failure [Install] WantedBy=default.target
Enable and start the service
systemctl daemon-reload systemctl enable --now snappass.service
Tested on
- Debian 10 Buster