Thread: Calibre 3.0 Content Server standalone
View Single Post
Old 06-26-2017, 10:50 AM   #22
snoopy_1978
Member
snoopy_1978 began at the beginning.
 
Posts: 12
Karma: 10
Join Date: Jun 2017
Device: Android
Quote:
Originally Posted by kovidgoyal View Post
Umm just use the Virtual library facility inside the server. i.e. any user that wants to restrict the view to a virtual library can simply choose that virtual library by clicking the three dots in the top right corner and choosing Virtual Library.
You mean the V2 - WebFrontend? This is a point, right, but the OPDS interface honors --with-library, so for me this is enough.
What I never tried is if you can restrict access to this button / "choose - virtlib site" with the help of Apache, but for me this is not as important.
And with V3 thanks of the new userdb (in general a good idea I think) access can be restricted.

Quote:
Originally Posted by kovidgoyal View Post
Instead of describing your somewhat convoluted existing setup, why dont you describe what you are actually trying to do.
What I'm trying to do is to achieve the same (or similar) behaviour that worked in V2 with the architecture changes you made with V3. So I HAVE to descibre what I have now with V2 as this is exactly what I'm trying to do in V3.
Perhaps some pictures will clear things up. In the attachments in "calibre-V2.png" you find the architecure I implemented with calibre-server V2.
As you can see, I have with V2:
  • An Apache vHost with many Locations (not just calibre), each using BasicAuth ldap
Concerning calibre:
  • 2 different Locations:
    • /calibre, which ends up in a (lets say) "NonAdult" virt.lib.
    • /calibre-all, which ends up in the whole lib.
  • This could be realized because calibre-server can be startet multiple times with different "--url-prefix" / "--port" and "--with-lib".
  • To the Apache Location "/calibre-all" just some users have access (lets say "John" and "Jane", but NOT "Sandra").
  • To the Apache Location "/calibre" (which serves the virt.lib "NonAdult") the users "John", "Jane" and additionally "Sandra" have access.

Now I want the same in V3, nothing more, nothing less.

For the following descriptions look in the attachments at "calibre-V3.png":
As you can see here, just one calibre-server can be started, as u restricted that and thefore the "--virt-lib" option doesn't make sense of course.
What is more: because of the need of "--url-prefix" it isn't possible any longer to have different Apache-Locations ReverseProxying now the only calibre-server as the "Location" directive in Apache has to match the "--url-prefix" Option in calibre, otherwise calibre builds the wrong URLs.
And so I can just have one Apache Location "/calibre" to which all LDAP Users ("John", "Jane" and "Sandra") now have to have access. With V2 this was the point where I could control / restrict access.

But how can access now be restricted for "Sandra" to the "NonAdult" Virt.Lib like before in V2?
In V3 this can just be achieved with enabling the calibre-auth and - in the new userdb - mapping users to virt.libs.
In my example u can see two (technical) users in the calibre-userdb. "All", which is not restriced, and "NonAdult" which is restricted to the virt.lib. "NonAdult". (To be exact: a SearchString filtering out Books with concerning tags)

BUT: This implementation does not work at all because of the two BasiceAuths (Apache + calibre) following each other, which leads me to your next statement:

Quote:
Originally Posted by kovidgoyal View Post
And I dont see what apache with LDAP as a reverse proxt has to do with anything. The calibre server does not care how it gets the authentication headers, whether directly from a browser or via a proxy in the middle.
The point is not, HOW calibre gets the AuthHeaders from the browser but WHAT a browser sends in a request. As I said, try yourself (a simple FileBased Auth with a .htusers File will be enought, it doesn't have to be a ldap backend of course).
Will try again to describe in more detail, why this can't work (look at image "calibre-V3.png"):
  1. Browser requests https://myhost.dyndns.org/calibre
  2. Apache wants to have valid LDAP credentials (first basic auth)
  3. User enters valid LDAP credentials (User: "John"), Apache accepts them
  4. ApacheProxy forwards the request to calibre
  5. Calibre wants to have valid calibre-credentials (second basic auth)
  6. User enters calibre credentials (User: "All") (BTW:ugly, entering different credentials two times)
  7. Calibre accepts the credentials
  8. CalibreWebFrontend in the Browser requests more content (images, js, css, XHR...)
  9. Now the important point: Therefore the Browser has again to send AuthHeaders with each following request. But which one? The first (from the ApacheAuth)? Or the second (from the CalibreAuth)? The browser decides the first, the Apache Ones (User: "John")
  10. Calibre gets the AuthHeader with the Apache Credentials (User: "John", NOT User "All")
  11. Calibre send a 401 - Access denied for each following request.

So again my question:
How would u build this scenario in V3 (Basic auth enabled Apache as Proxy and calibre with restricted virtual - libs)?
Attached Thumbnails
Click image for larger version Name: calibre-V2.png Views: 564 Size: 80.6 KB ID: 157547   Click image for larger version Name: calibre-V3.png Views: 467 Size: 93.5 KB ID: 157548  
Last edited by snoopy_1978; 06-26-2017 at 11:09 AM.
snoopy_1978 is offline   Reply With Quote