havenweb / haven Goto Github PK

View Code? Open in Web Editor NEW

620.0 12.0 30.0 3.53 MB

Self-hostable private blogging

Home Page: https://havenweb.org

License: MIT License

Ruby 74.58% JavaScript 0.33% CSS 3.64% SCSS 0.29% HTML 15.90% Shell 4.76% Procfile 0.01% Dockerfile 0.49%

self-hosted social-network decentralized decentralized-web raspberry-pi haven

haven's Introduction

Haven

Haven is a private blog application built with Ruby on Rails. Write what you want, create accounts for people you want to share with, keep up with each other using built-in RSS.

Try out a live demo at https://havenweb.org/demo.html

The following are some motivating philosophies:

Open-source. MIT License
Privacy-first. This is for sharing with friends and family, not commercial endevors. If you want a blog for your company, you probably want to use WordPress or Ghost instead.
Easy to use. Built-in web interface for managing users, customizing the blog, and writing/editing posts with markdown and live-preview.
Low-bandwidth friendly. Images get downscaled to reduce page load times. No javascript frameworks. No ads or trackers.
Customizable. Add custom CSS or fonts.
No spam. There is no self-signup for users so there is no place for unauthorized users to impact your life.
Media support for images, videos, and audio.
Private RSS feeds for your friends to follow you.
Build-in RSS reader to follow your favorite blogs.

Deployment

PikaPods

PikaPods is a great platform for hosting open source apps. They currently offer a $5 credit for new members and it costs as little as $1.64/month to host your Haven on PikaPods. You don't even need to give them a credit card to get the $5 credit and try out Haven for a couple of months.

KubeSail

KubeSail is a self-hosting platform that makes it easier to run a server in your home or office that runs websites & apps. You can install Haven on Kubesail with the following Kubesail template: https://kubesail.com/template/jphj/haven

AWS

Register an account with AWS, the included scripts deploy to an AWS EC2 instance
Buy a domain with AWS route 53, this is the domain that will point to the blog
Setup your AWS credentials: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html
Clone this project onto your computer (tested with Mac OS Mojave and Ubuntu 18.04)
Go to the deploymentscripts folder
Execute ruby deploy-aws.rb <domain> "<email>"
- Put your email address in quotes, this email is used for registering your HTTPS certificate
Wait. Deployment can take 20 minutes.
The script will show you your login information, enjoy your blog
Note: if anything goes wrong, you can run ruby cleanup-aws.rb <domain> to tear down everything the script created
If you get this error: cannot load such file -- aws-sdk-ec2 (LoadError), then type gem install aws-sdk and try again

Raspberry Pi

Note, this requires a little bit more technical knowledge. You should know how to flash an SD card and how to use the tools ssh and scp. You should also be able to configure your own DNS and port forwarding. We're doing this fully headless, not plugging in a display or mouse/keybord to the Raspberry Pi.

Configure your DNS to point to your home IP address.
- If you're using AWS Route53 for your DNS, this script might be useful: https://github.com/havenweb/r53_dynamic_dns
Flash a micro SD card with Raspberry Pi OS Lite (May 2021)
- 32 bit: http://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/
- or 64 bit if you know what you're doing: https://downloads.raspberrypi.org/raspios_lite_arm64/images/raspios_lite_arm64-2021-05-28/
Enable SSH and Wifi: https://raspberrytips.com/raspberry-pi-wifi-setup/
Insert the card into the Pi, and turn it on
Make sure you can SSH to the Pi, then copy deploymentscripts/deploy-pi.sh from this repository to the Pi's home directory
- Note, the script assumes your default home directory of /home/pi and that you're using the default pi user.
Configure your home router to forward port 80 (http) and 443 (https) to the Raspberry Pi.
- You might also want/need to configure a static IP address for the Raspberry Pi.
SSH to the Pi and run: bash deploy-pi.sh DOMAIN "YOUREMAIL"
Wait. On the Raspberry Pi Zero W, installation can take over three hours.
The script will give you your initial login information, enjoy your new blog!
Note, there are no backups setup. You may want to backup the database (PostgreSQL) and uploaded images (/home/pi/simpleblog/storage).

Heroku

The Heroku install is meant for exploration and experimentation as images uploaded to your Haven will usually disapear within 24 hours and the reader will not automatically update until you visit the reader page. The Heroku install requires a Heroku account ~~and should fall under Heroku's free-tier~~. Update: Heroku is eliminating their free tier, Haven on Heroku will probably cost ~$16/month.

Paid Hosting

Fully managed hosting of your personal Haven is available too, check out: https://havenweb.org/order.html

Docker

Install docker and docker-compose
If you don't know how to install docker and docker-compose, you can find info in introduction to docker , overview of installing docker compose and get docker desktop.
Clone the repository: git clone https://github.com/havenweb/haven.git
Run cd haven
Run docker compose up

Feel free to use the included Dockerfile and docker-compose.yml. You probably want to modify the env vars in docker-compose.yml to specify a different HAVEN_USER_EMAIL and HAVEN_USER_PASS. These will be used to create you initial user (and password) on startup.

Docker images are published to the GitHub Container Registry

Other Linux Systems

Given the differences between Linux platforms I can't give fool-proof deployment instructions for every platform but take a look at the Raspberry PI deployment script. It is not universal, but it should be pretty close for most debian-based systems.

haven's People

Contributors

Stargazers

Watchers

haven's Issues

Add seed data for development purposes

Right now, there is no seed data, which makes developing just a bit more difficult, since an user needs to be created before you can login. There should be some seed data to make development a little bit easier.

The db/seeds.rb file can be used to accommodate this.

Increase testcoverage

There seems to be quite a lack of tests. Increasing the test coverage not only increases developer confidence when building new stuff (the old stuff will not break), but it also documents the expected behaviour.

By default uses Minitest, but we could make the argument that RSpec is also a fine choice, because it is arguably better readable.

Add a security policy

Hey there!

I belong to an open source security research community, and a member (@vanlan12) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Custom Favicon

It would be great to be able to customize the favicon by uploading a new image.

[Feature Request] Add RTL support

It would be nice if haven would support RTL languages. It means that when you wrote in these languages, then the text will appear from right to left instead from left to right.

Nginx requires some extra configuration due to the redirects

There's a few configuration options on nginx (and I'm certain a few others as well), that need to be set up, due to the redirects that the application is performing. A few lines of "maybe you need these options on nginx" would fit in?

TicketAuth support?

Hi, there's been some pretty great strides in support for IndieAuth Ticket Auth which is a simple mechanism for publishers to provide a bearer authentication token to clients (such as feed readers), which is significantly more secure than private per-user feeds. Are there any plans to support that on the reader and/or publisher side of Haven?

Getting more widespread adoption of this mechanism would be great.

Unable to make any edits when on https

When on https (certificate through certbot), using apache and reverse proxy:
when making some edits such as:

login
create post

I got this error:

HTTP Origin header (https://blog.<my website obscured name>.com) didn't match request.base_url (http://blog.<my website obscured name>.it)

Do I have to force HTTP instead of HTTPS?

docker-compose setup - css and other style changes do not take effect

Thanks for this great OSS project... I've got it working in a docker-compose file (see attached example) and trying to customise the font and CSS layout as per the help docs the project sends me to. Nothing seems to happen... even restarting the service makes no difference.

docker-comp.txt

Is there another docker volume I should mount locally for these changes to persist?
This is while using Firefox browser.

Thx.

Contribution guidelines?

Do you plan on adding contribution guidelines? I would love to help out where possible if there's a need and/or desire for contributions. If not, no worries. Just wanted to get the conversation going if there's one to be had.

How to deploy on own server?

How to deploy this on own server? Not on AWS, not on a Pi, just on a regular Linux VM. Thanks!

Add tag to github repo for easier discovery of this project

This is a suggestion and not related to the code. By adding tag other people could also find this project by topics. (BTW I found this via HN).

For the tags, I suggest the followings (obvious) tags

self-hosted
social networking

own reverse proxy

Hello, good day, I am trying to get Haven to work with the deploy-pi.sh script, however, I have some doubts, I have my own reverse proxy to expose the server to the internet, which part of the script would I have to delete for everything to work ok, try removing the parts of:


## HTTPS with Letsencrypt
#Rewrite Apache config to fix http -> https redirect

However, I get a server not available error, could you guide me a little, thanks

Docker support

I believe the project could greatly benefit from Docker (and compose) support. Making it easier to setup on machines that are not single purpose (like a raspberry pi or AWS instances) can be greatly beneficial in getting a greater adoption for Haven.

We can start with a rough base and refine from there.

Who to contact for security issues

Apologies for any inconveniences caused; posted erroneously.

Using email to reset password? And a styling QoL suggestion

Hello! I'm starting to use Haven finally (we had talked over email before!) and after a pause in using it, and having changed my password, I got locked out. I have no idea how to get the password back (sadly my password manager didn't catch that I changed it) and was wondering if a possible feature to have an email reset the password would be able to be included?

I also was wondering if it would be possible to make the CSS editing a bit easier. I know some CSS/HTML, but I couldn't find an easy guide on how to start editing it as far as CSS classes and such. I know I can inspect element in my browser, but it might be worthwhile to either make note of some tips on styling it, or something along those lines? Especially for people who might not be quite as knowledgeable. If there is a guide somewhere, I apologize! I'm bad at finding things sometimes.

Thank you for your time and I really like the project!

Share without username and password

It's not specifically stated if this is a goal at all, but is there a way to make posts globally visible? Meaning you don't need a password to see.

For example

blog.domain.com/public

Index of

Hello, I have tried to follow the steps of the script except for the part of the certificate and the https redirection and when I try to see the server the index of it appears instead of the haven app, what step could I have omitted? Thanks and regards

editing someone elses post behaviour leads to them can no longer able to edit or delete

If an Administrator edits a Publishers' post that the original Publisher can no longer edit or delete their original post.
Is this intended behaviour or should the ownership of a post remain with original creator?

Missing settings on new run

Started through docker_compose (see below) and after first login it was a 500 error.
Reading the production.log (inside the container) it was missing @setting so I run Setting.create and it worked.

version: '3.7'
services:
  haven:
    container_name: 'haven-blog'
    image: ghcr.io/havenweb/haven:22dc990
    depends_on:
      - postgresql
    ports:
      - "5030:3000"
    volumes:
      - $BASE_FOLDER_DOCKER/haven_storage:/storage
    environment:
      - RAILS_ENV=production
      - HAVEN_DB_HOST=postgresql
      - HAVEN_DB_NAME=haven
      - HAVEN_DB_ROLE=haven
      - HAVEN_DB_PASSWORD=$HAVEN_DB_PASSWORD
      - HAVEN_USER_EMAIL=$HAVEN_USER_EMAIL
      - HAVEN_USER_PASS=$HAVEN_USER_PASS

  postgresql:
    image: postgres:13.2-alpine
    ports:
      - "5432:5432"
    # https://www.postgresql.org/docs/current/static/non-durability.html
    command: [
      "postgres",
      "-c", "max_connections=1000",
      "-c", "synchronous_commit=off",
      "-c", "fsync=off",
      "-c", "full_page_writes=off",
      "-c", "max_wal_size=4GB",
      "-c", "checkpoint_timeout=30min",
      "-c", "wal_level=logical"
    ]
    environment:
      POSTGRES_HOST_AUTH_METHOD: trust
      POSTGRES_USER: haven
    volumes:
      - $BASE_FOLDER_DOCKER/postgresqldata:/var/lib/postgresql/data

volumes:
  postgresqldata:
    external: false
  haven_storage:
    external: false

Header links are not converting to hamberger menu on mobile causing colliding

When viewing on mobile, the links are stacking instead of converting to a hamburger menu. It's a bit cluttered in the header due to this.

Using an iPhone 12 Pro Max.

No License in the project

Fix Bundler Flags

[DEPRECATED] The `--deployment` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local deployment 'true'`, and stop using this flag
[DEPRECATED] The `--without` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set --local without 'development test'`, and stop using this flag

Check various deployment scripts, ensure we're using the correct setting.

[Security] Haven v5d15944 Server-Side Request Forgery (SSRF) - CVE-2023-24060

A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):

Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.

Affected URL (Parameter):
http://localhost:3000/feeds (url)

Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24060
https://nvd.nist.gov/vuln/detail/CVE-2023-24060
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Payload:

POST /feeds HTTP/1.1
Host: localhost:3000
Content-Length: 203
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Cookie: _blog_session=[]
Connection: close

utf8=%E2%9C%93&authenticity_token=[]&feed%5Burl%5D=https%3A%2F%2Fattacker.com%2Frss&commit=Add+Feed

=> ERROR [haven 7/13] RUN APT update 0.4s

[haven 7/13] RUN APT update:
0.345 /bin/sh: 1: APT: not found

failed to solve: process "/bin/sh -c APT update" did not complete successfully: exit code: 127

This is after 2-3 minutes of building, then this error and stops.

Is this a known issues or something someone as seen before? Thanks!

QoL suggestions

Demo Site

Add some sample posts, comments, multiple users to show how it works
On the "Demo Credentials" page, when you click "Login", it requires you to have copied both email and password (or remember the email). Would be better if the email was pre-filled via a query string, maybe? That functionality could also make it easier to add secondary users, if you are managing the email used for them - sending a link where the email is already filled in.

Account Page

Right now, the options for Password are:

Password (leave blank if you don't want to change it)
- 6 characters minimum
Password confirmation
Current password (we need your current password to confirm your changes)

This is confusing.

Either the "Change Password" screen should be a sub-menu (different page), or it should at least have its own header, with its own save button:

Proposed Account Layout

Account

Email
Name
Current Password
- current password required to save changes

save changes

Password

New Password
New Password (again)
Current Password

update password

Delete Account

Current Password
- current password required to delete account

delete account [custom css to make it red, probably]

I'll update if I find more. If I end up using the site, I may open a PR for some of the above.