Merge pull request FreshRSS#2186 from FreshRSS/dev

FreshRSS 1.13.0

.dockerignore

@@ -1,3 +1,3 @@
-*/.git
-*/data
-*/docs
+**/.git/
+**/data/
+**/docs/

CHANGELOG.md

@@ -1,5 +1,52 @@
 # FreshRSS changelog
 
+## 2018-12-22 FreshRSS 1.13.0
+
+* API
+	* Improvements to the Google Reader API [#2093](https://github.com/FreshRSS/FreshRSS/pull/2093)
+		* Support for [Vienna RSS](http://www.vienna-rss.com/) (client for Mac OS X) [#2091](https://github.com/FreshRSS/FreshRSS/issues/2091)
+	* Contributions to WebSub in third-party systems to support instant push notifications
+		from [Mastodon](https://joinmastodon.org) 2.6.2+ and [Friendica](https://friendi.ca) 2018.12+
+		[#mastodon/9302](https://github.com/tootsuite/mastodon/pull/9302), [#friendica/6137](https://github.com/friendica/friendica/pull/6137)
+		* Rename the PubSubHubbub protocol to use the new standard [WebSub](https://www.w3.org/TR/websub/) name [#2184](https://github.com/FreshRSS/FreshRSS/pull/2184)
+* Features
+	* Ability to import XML files exported from Tiny-Tiny-RSS [#2079](https://github.com/FreshRSS/FreshRSS/issues/2079)
+	* Ability to show all the feeds that have a warning [#2146](https://github.com/FreshRSS/FreshRSS/issues/2146)
+	* Share with Pinboard [#1972](https://github.com/FreshRSS/FreshRSS/issues/1972)
+* UI
+	* Reworked the scrolling of the categories/feeds sidebar [#2117](https://github.com/FreshRSS/FreshRSS/pull/2117)
+		* Native styled scrollbars in Firefox 64+, Chrome.
+	* Show collapsed sidebar in the reader mode [#2169](https://github.com/FreshRSS/FreshRSS/issues/2169)
+	* New shortcuts to move to previous/next article without opening it [#1767](https://github.com/FreshRSS/FreshRSS/pull/1767)
+	* Fix regression from 1.12.0 preventing from closing an article [#2085](https://github.com/FreshRSS/FreshRSS/issues/2085)
+	* Improvements of the Swage theme [#2088](https://github.com/FreshRSS/FreshRSS/pull/2088), [#2094](https://github.com/FreshRSS/FreshRSS/pull/2094)
+	* Many style improvements [#2108](https://github.com/FreshRSS/FreshRSS/pull/2108), [#2115](https://github.com/FreshRSS/FreshRSS/issues/2115),
+		[#1620](https://github.com/FreshRSS/FreshRSS/issues/1620), [#2089](https://github.com/FreshRSS/FreshRSS/pull/2089),
+		[#2122](https://github.com/FreshRSS/FreshRSS/pull/2122), [#2161](https://github.com/FreshRSS/FreshRSS/pull/2161)
+* Deployment
+	* Support for `HTTP_X_FORWARDED_PREFIX` to ease the use of reverse proxies [#2191](https://github.com/FreshRSS/FreshRSS/pull/2191)
+		* Updated Docker + Træfik + Let’s Encrypt deployment guide [#2189](https://github.com/FreshRSS/FreshRSS/pull/2189)
+	* Docker image updated to Alpine 3.8.2 with PHP 7.2.13 and Apache 2.4.35
+	* Fix `.dockerignore` [#2195](https://github.com/FreshRSS/FreshRSS/pull/2195)
+* I18n
+	* Occitan [#2110](https://github.com/FreshRSS/FreshRSS/pull/2110)
+* SimplePie
+	* Update to SimplePie 1.5.2 [#2136](https://github.com/FreshRSS/FreshRSS/pull/2136)
+		* Fix some sanitizing in authors / tags
+	* Strip embedded SVG images for now [#2135](https://github.com/FreshRSS/FreshRSS/pull/2135)
+* Security
+	* Fix HTML injections reported by [Netsparker](https://www.netsparker.com) [#2121](https://github.com/FreshRSS/FreshRSS/issues/2121)
+* Bug fixing
+	* Fix warning in `tempnam()` with PHP 7.1+ affecting ZIP export [#2134](https://github.com/FreshRSS/FreshRSS/pull/2134)
+	* Fix print for views with unfolded articles [#2130](https://github.com/FreshRSS/FreshRSS/issues/2130)
+	* Fix notifications in reader view [#1407](https://github.com/FreshRSS/FreshRSS/issues/1407)
+	* Fix sharing with Movim [#1781](https://github.com/FreshRSS/FreshRSS/issues/1781)
+* Misc.
+	* Add username in configuration menu and exported files [#2133](https://github.com/FreshRSS/FreshRSS/pull/2133)
+	* New option to set the duration of the cookie session [#2137](https://github.com/FreshRSS/FreshRSS/pull/2137)
+	* Add [donation option via Liberapay](https://liberapay.com/FreshRSS/) [#1694](https://github.com/FreshRSS/FreshRSS/issues/1694)
+
+
 ## 2018-10-28 FreshRSS 1.12.0
 
 * Features
@@ -25,6 +72,7 @@
 * Deployment
 	* Fix Docker bug with some cron values [#2032](https://github.com/FreshRSS/FreshRSS/pull/2032)
 	* Perform `git clean -f -d -f` (removes unknown files and folders) before git auto-update method [#2036](https://github.com/FreshRSS/FreshRSS/pull/2036)
+	* Docker image updated to Alpine 3.8.1 with PHP 7.2.8 and Apache 2.4.34
 * Bug fixing
 	* Make article GUIDs case-sensitive also with MySQL [#2077](https://github.com/FreshRSS/FreshRSS/issues/2077)
 	* Ask confirmation for important configuration actions [#2048](https://github.com/FreshRSS/FreshRSS/pull/2048)

CREDITS.md

@@ -44,6 +44,7 @@ People are sorted by name so please keep this order.
 * [MSZ](https://github.com/mszkb): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=mszkb)
 * [Nico B](https://github.com/youknow0): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:youknow0)
 * [Nicolas Elie](https://github.com/nicolaselie): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=nicolaselie)
+* [Nicolas Frandeboeuf](https://github.com/nicofrand): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=nicofrand), [Web](https://nicofrand.ey)
 * [Nicolas Lœuillet](https://github.com/nicosomb): [contributions](https://github.com/FreshRSS/documentation/commits?author=nicosomb), [Web](http://www.loeuillet.org/)
 * [Nicola Spanti](https://github.com/RyDroid): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:RyDroid), [Web](http://www.nicola-spanti.info/)
 * [Olivier Dossmann](https://github.com/blankoworld): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=blankoworld), [Web](https://olivier.dossmann.net)
@@ -54,12 +55,14 @@ People are sorted by name so please keep this order.
 * [primaeval](https://github.com/primaeval): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:primaeval)
 * [purexo](https://github.com/purexo): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:purexo), [Web](https://purexo.mom/)
 * [Quentin Dufour](https://github.com/superboum): [contributions](https://github.com/FreshRSS/documentation/commits?author=superboum), [Web](http://quentin.dufour.io/)
+* [Quentin Pagès](https://github.com/Quenty31): [contributions](https://github.com/FreshRSS/documentation/commits?author=Quenty31)
 * [Ramón Cutanda](https://github.com/rcutanda): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:rcutanda)
 * [romibi](https://github.com/romibi): [contributions](https://github.com/FreshRSS/FreshRSS/commits/dev?author=romibi)
 * [sirideain](https://github.com/sirideain): [contributions](https://github.com/FreshRSS/FreshRSS/commits/dev?author=sirideain)
 * [subic](https://github.com/subic): [contributions](https://github.com/FreshRSS/documentation/commits?author=subic)
 * [Tets42](https://github.com/Tets42): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=Tets42)
 * [Thomas Citharel](https://github.com/tcitworld): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:tomgue), [Web](https://www.tcit.fr/)
+* [thomas-gt](https://github.com/thomas-gt): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:thomas-gt)
 * [tomgue](https://github.com/tomgue): [contributions](https://github.com/FreshRSS/FreshRSS/commits?author=tomgue)
 * [Twilek-de](https://github.com/Twilek-de): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:Twilek-de)
 * [Uncovery](https://github.com/uncovery): [contributions](https://github.com/FreshRSS/FreshRSS/pulls?q=is:pr+author:uncovery)

Docker/README.md

@@ -1,7 +1,6 @@
 # Deploy FreshRSS with Docker
-* See also:
-	* https://hub.docker.com/r/freshrss/freshrss/
-	* https://cloud.docker.com/app/freshrss/repository/docker/freshrss/freshrss
+* See also https://hub.docker.com/r/freshrss/freshrss/
+
 
 ## Install Docker
 
@@ -10,9 +9,10 @@ curl -fsSL https://get.docker.com/ -o get-docker.sh
 sh get-docker.sh
 ```
 
+
 ## Optional: Build Docker image of FreshRSS
 Optional, as a *less recent* online image can be automatically fetched during the next step (run),
-but online images are not available for as many platforms as if you build yourself.
+but online images are not available for as many platforms (e.g. Raspberry Pi / ARM) as if you build yourself.
 
 ```sh
 # First time only
@@ -24,53 +24,111 @@ sudo docker pull alpine:3.8
 sudo docker build --tag freshrss/freshrss -f Docker/Dockerfile .
 ```
 
-## Run FreshRSS
-
-Example using SQLite, built-in cron, and exposing FreshRSS on port 8080. You may have to adapt the parameters to fit your needs.
 
+## Create an isolated network
 ```sh
-# You can optionally run from the directory containing the FreshRSS source code:
-cd ./FreshRSS/
+sudo docker network create freshrss-network
+```
+
+## Recommended: use [Træfik](https://traefik.io/) reverse proxy
+It is a good idea to use a reverse proxy on your host server, providing HTTPS.
+Here is the recommended configuration using automatic [Let’s Encrypt](https://letsencrypt.org/) HTTPS certificates and with a redirection from HTTP to HTTPS. See further below for alternatives.
 
-# The data will be saved on the host in `./data/`
-mkdir -p ./data/
+```sh
+sudo docker volume create traefik-letsencrypt
 
+# Just change your e-mail address in the command below:
 sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
-  -v $(pwd)/data:/var/www/FreshRSS/data \
-  -e 'CRON_MIN=5,35' \
-  -p 8080:80 \
-  --name freshrss freshrss/freshrss
+  -v traefik-letsencrypt:/etc/traefik/acme \
+  -v /var/run/docker.sock:/var/run/docker.sock:ro \
+  --net freshrss-network \
+  -p 80:80 \
+  -p 443:443 \
+  --name traefik traefik --docker \
+  --entryPoints='Name:http Address::80 Compress:true Redirect.EntryPoint:https' \
+  --entryPoints='Name:https Address::443 Compress:true TLS TLS.MinVersion:VersionTLS12 TLS.SniStrict:true TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' \
+  --defaultentrypoints=http,https --keeptrailingslash=true \
+  --acme=true --acme.entrypoint=https --acme.onhostrule=true --acme.tlsChallenge \
+  --acme.storage=/etc/traefik/acme/acme.json --acme.email=you@example.net
 ```
 
-### Examples with external databases
+See [more information about Docker and Let’s Encrypt in Træfik](https://docs.traefik.io/user-guide/docker-and-lets-encrypt/).
 
-You may want to use other link methods such as Docker bridges, and use Docker volumes for the data, but here are some simple examples:
 
-#### MySQL
-See https://hub.docker.com/_/mysql/
+## Run FreshRSS 
+Example using the built-in refresh cron job (see further below for alternatives).
+You must first chose a domain (DNS) or sub-domain, e.g. `freshrss.example.net`.
 
 ```sh
-sudo docker run -d -v /path/to/mysql-data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=rootpass -e MYSQL_DATABASE=freshrss -e MYSQL_USER=freshrss -e MYSQL_PASSWORD=pass --name mysql mysql
+sudo docker volume create freshrss-data
+
+# Remember to replace freshrss.example.net by your server address in the command below:
 sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
-  -v $(pwd)/data:/var/www/FreshRSS/data \
-  -e 'CRON_MIN=17,47' \
-  --link mysql -p 8080:80 \
+  -v freshrss-data:/var/www/FreshRSS/data \
+  -e 'CRON_MIN=4,34' \
+  --net freshrss-network \
+  --label traefik.port=80 \
+  --label traefik.frontend.rule='Host:freshrss.example.net' \
+  --label traefik.frontend.headers.forceSTSHeader=true \
+  --label traefik.frontend.headers.STSSeconds=31536000 \
   --name freshrss freshrss/freshrss
 ```
 
-#### PostgreSQL
-See https://hub.docker.com/_/postgres/
+* If you cannot have FreshRSS at the root of a dedicated domain, update the command above according to the following model:
+	`--label traefik.frontend.rule='Host:freshrss.example.net;PathPrefixStrip:/FreshRSS/' \`
+* You may remove the `--label traefik.*` lines if you do not use Træfik.
+* Add `-p 8080:80 \` if you want to expose FreshRSS locally, e.g. on port `8080`.
+
+This already works with a built-in **SQLite** database (easiest), but more powerful databases are supported:
 
+### [MySQL](https://hub.docker.com/_/mysql/)
 ```sh
-sudo docker run -d -v /path/to/pgsql-data:/var/lib/postgresql/data -e POSTGRES_DB=freshrss -e POSTGRES_USER=freshrss -e POSTGRES_PASSWORD=pass --name postgres postgres
+# If you already have a MySQL instance running, just attach it to the FreshRSS network:
+sudo docker network connect freshrss-network mysql
+
+# Otherwise, start a new MySQL instance, remembering to change the passwords:
+sudo docker volume create mysql-data
 sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
-  -v $(pwd)/data:/var/www/FreshRSS/data \
-  -e 'CRON_MIN=23,53' \
-  --link postgres -p 8080:80 \
-  --name freshrss freshrss/freshrss
+  -v mysql-data:/var/lib/mysql \
+  -e MYSQL_ROOT_PASSWORD=rootpass
+  -e MYSQL_DATABASE=freshrss \
+  -e MYSQL_USER=freshrss \
+  -e MYSQL_PASSWORD=pass \
+  --net freshrss-network \
+  --name mysql mysql
+```
+
+### [PostgreSQL](https://hub.docker.com/_/postgres/)
+```sh
+# If you already have a PostgreSQL instance running, just attach it to the FreshRSS network:
+sudo docker network connect freshrss-network postgres
+
+# Otherwise, start a new PostgreSQL instance, remembering to change the passwords:
+sudo docker volume create pgsql-data
+sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
+  -v pgsql-data:/var/lib/postgresql/data \
+  -e POSTGRES_DB=freshrss \
+  -e POSTGRES_USER=freshrss \
+  -e POSTGRES_PASSWORD=pass \
+  --net freshrss-network \
+  --name postgres postgres
 ```
 
-## Update
+### Complete installation
+Browse to your server https://freshrss.example.net/ to complete the installation via the FreshRSS Web interface,
+or use the command line described below.
+
+
+## Command line
+
+```sh
+sudo docker exec --user apache -it freshrss php ./cli/list-users.php
+```
+
+See the [CLI documentation](../cli/) for all the other commands.
+
+
+## How to update
 
 ```sh
 # Rebuild an image (see build section above) or get a new online version:
@@ -79,35 +137,43 @@ sudo docker pull freshrss/freshrss
 sudo docker stop freshrss
 sudo docker rename freshrss freshrss_old
 # See the run section above for the full command
-sudo docker run ...
+sudo docker run ... --name freshrss freshrss/freshrss
 # If everything is working, delete the old container
 sudo docker rm freshrss_old
 ```
 
-## Command line
+
+## Debugging
 
 ```sh
-sudo docker exec --user apache -it freshrss php ./cli/list-users.php
+# See FreshRSS data if you use Docker volume
+sudo docker volume inspect freshrss-data
+sudo ls /var/lib/docker/volumes/freshrss-data/_data/
+
+# See Web server logs
+sudo docker logs -f freshrss
+
+# Enter inside FreshRSS docker container
+sudo docker exec -it freshrss sh
+## See FreshRSS root inside the container
+ls /var/www/FreshRSS/
 ```
 
-See the [CLI documentation](../cli/) for all the other commands.
 
 ## Cron job to automatically refresh feeds
 We recommend a refresh rate of about twice per hour (see *WebSub* / *PubSubHubbub* for real-time updates).
-There is no less than 3 options. Pick a single one.
+There are no less than 3 options. Pick a single one.
 
 ### Option 1) Cron inside the FreshRSS Docker image
-Easiest, built-in solution, also used in the examples above
+Easiest, built-in solution, also used already in the examples above
 (but your Docker instance will have a second process in the background, without monitoring).
 Just pass the environment variable `CRON_MIN` to your `docker run` command,
 containing a valid cron minute definition such as `'13,43'` (recommended) or `'*/20'`.
 Not passing the `CRON_MIN` environment variable – or setting it to empty string – will disable the cron daemon.
 
 ```sh
-sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
-  -v $(pwd)/data:/var/www/FreshRSS/data \
+sudo docker run ... \
   -e 'CRON_MIN=13,43' \
-  -p 8080:80 \
   --name freshrss freshrss/freshrss
 ```
 
@@ -129,32 +195,15 @@ See cron option 1 for customising the cron schedule.
 
 ```sh
 sudo docker run -d --restart unless-stopped --log-opt max-size=10m \
-  -v $(pwd)/data:/var/www/FreshRSS/data \
+  -v freshrss-data:/var/www/FreshRSS/data \
   -e 'CRON_MIN=17,37' \
+  --net freshrss-network \
   --name freshrss_cron freshrss/freshrss \
   crond -f -d 6
 ```
 
 
-## Debugging
-
-```sh
-# See FreshRSS data (it is on the host)
-cd ./data/
-# See Web server logs
-sudo docker logs -f freshrss
-
-# Enter inside FreshRSS docker container
-sudo docker exec -it freshrss sh
-## See FreshRSS root inside the container
-ls /var/www/FreshRSS/
-```
-
-## Deployment in production
-
-Use a reverse proxy on your host server, such as [Træfik](https://traefik.io/)
-or [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/),
-with HTTPS, for instance using [Let’s Encrypt](https://letsencrypt.org/).
+## More deployment options
 
 ### Example with [docker-compose](https://docs.docker.com/compose/)
 
@@ -167,7 +216,56 @@ A [docker-compose.yml](docker-compose.yml) file is given as an example, using Po
 	* options under the `labels` section are specific to [Træfik](https://traefik.io/), a reverse proxy. If you are not using it, feel free to delete this section. If you are using it, adapt accordingly to your config, especially the `traefik.frontend.rule` option.
 	* the `environment` section to adapt the strategy to update feeds.
 
-You can then launch the stack (postgres + freshrss) with:
+You can then launch the stack (FreshRSS + PostgreSQL) with:
 ```sh
-docker-compose up -d
+sudo docker-compose up -d
+```
+
+### Alternative reverse proxy using [nginx](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
+
+Here is an example of configuration to run FreshRSS behind an Nginx reverse proxy (as subdirectory).
+In particular, the proxy should be setup to allow cookies via HTTP headers (see `proxy_cookie_path` below) to allow logging in via the Web form method.
+
+```
+upstream freshrss {
+	server 127.0.0.1:8080;
+	keepalive 64;
+}
+
+server {
+	listen 80;
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	server_name mywebsite.example.net;
+	listen 443 ssl http2;
+
+	# Other SSL stuff goes here
+
+	# Needed for Freshrss cookie/session :
+	proxy_cookie_path / "/; HTTPOnly; Secure";
+
+	location / {
+		try_files $uri $uri/ =404;
+		index index.htm index.html;
+	}
+
+	location /freshrss/ {
+		proxy_pass http://freshrss/;
+		add_header X-Frame-Options SAMEORIGIN;
+		add_header X-XSS-Protection "1; mode=block";
+		proxy_redirect off;
+		proxy_buffering off;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Port $server_port;
+		proxy_read_timeout 90;
+	}
+}
 ```