interkollektives/interkollektives-micro-website
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd9ea482bf89448989eb21100945cc4ec8ee3737
interkollektives-micro-website/README.md

3.1 KiB
Raw Blame History

web4beginners WYSIWYG Multi-Route Deploy

This project runs a local-content WYSIWYG editor behind Traefik and supports multiple route instances on one domain.

Examples:

  • https://mydomain.de/webpage1/
  • https://mydomain.de/webpage2/
  • https://mydomain.de/webpage3/

Files

  • docker-compose.traefik-routes.yml: Traefik-ready multi-service compose file
  • scripts/add-webpage.sh: auto-generate new webpageN route + compose service
  • scripts/editor_server.php: local API + static server (/api/content, /api/save)
  • See Brute-Force Protection for auth hardening details

Requirements

  • Docker + Docker Compose
  • Traefik with external network named proxy

First deploy

docker compose -f docker-compose.traefik-routes.yml up -d --build

Add a new route (autogenerator)

./scripts/add-webpage.sh webpage4 mydomain.de

What it does:

  1. Creates route data folder: /srv/web4beginners/webpage4/
  2. Seeds files if missing:
  • /srv/web4beginners/webpage4/web4beginners.com.html
  • /srv/web4beginners/webpage4/site-content.de.json
  1. Injects webpage4 service into docker-compose.traefik-routes.yml

Then redeploy:

docker compose -f docker-compose.traefik-routes.yml up -d --build

Open:

  • https://mydomain.de/webpage4/

Notes

  • Edit mode is only active with ?edit=1.
  • Saves write both HTML and JSON and create .bak backups.
  • Route names can include letters, numbers, _, -.

Editor claim, login, reset (v1)

  • New deployment starts as unclaimed (viewer-only by default).
  • Open https://mydomain.de/webpageN/?edit=1 to run first-time onboarding.
  • First onboarding claim uses email + password and creates:
    • content/.editor-credentials.json
  • Afterwards, editing requires login. Without auth, users remain viewer.

Password reset (without SMTP)

  • On failed login, trigger reset request.
  • Server writes reset data to:
    • content/.editor-reset.json
  • The file contains reset_url with token.
  • Open that URL, set new password, then login again.

Security note:

  • content/.editor-credentials.json and content/.editor-reset.json are blocked from HTTP access by the server router.
  • Access to these files requires container/filesystem access.
  • Simple brute-force protection is enabled in-app for login/reset (content/.editor-rate-limit.json) with account-based + global per-site thresholds (IP-independent).
  • L3/L4 DDoS and global rate limiting should be handled at Traefik/network level.

Brute-Force Protection

  • Login/Reset limits are enforced in scripts/editor_server.php.
  • Limiting is account-based + global per site (not IP-bound), so IP hopping is less effective.
  • Buckets currently used:
    • login_account, login_global
    • reset_request_account, reset_request_global
    • reset_confirm_account, reset_confirm_global
  • Rate-limit state is stored in:
    • content/.editor-rate-limit.json

Optional env overrides

  • ROOT_BASE (default: /srv/web4beginners)
  • COMPOSE_FILE (default: docker-compose.traefik-routes.yml)

Example:

ROOT_BASE=/data/pages COMPOSE_FILE=docker-compose.traefik-routes.yml ./scripts/add-webpage.sh webpage5 mydomain.de