Hosting with Docker¶
You can use docker and docker compose to host the Open Web Calendar.
Build the Image¶
First, clone the repository:
git clone https://github.com/niccokunzmann/open-web-calendar
cd open-web-calendar
To build the container yourself, run:
docker build --tag niccokunzmann/open-web-calendar .
This will create the image niccokunzmann/open-web-calendar.
Run the Docker Image¶
You can use the existing image: niccokunzmann/open-web-calendar.
docker run -d --rm -p 5000:80 --name open-web-calendar niccokunzmann/open-web-calendar
Then, you should see your service running at http://localhost:5000.
This way, you can stop the service:
docker stop open-web-calendar
Container Tags¶
The container niccokunzmann/open-web-calendar:latest contains the latest release. Containers are also tagged with the version from the changelog, e.g. niccokunzmann/open-web-calendar:v1.10.
If you wish to run the latest development version, use niccokunzmann/open-web-calendar:master. This includes unchecked translations.
Docker Compose¶
Use the pre-build Dockerhub image with docker compose:
version: '3'
services:
open-web-calendar:
image: niccokunzmann/open-web-calendar
ports:
- '80:80'
environment:
- OWC_SPECIFICATION="{'privacy_policy':'http://link-to-my-privacy-policy'}"
- WORKERS=4
restart: unless-stopped
networks:
- owc-net
networks:
owc-net: # shield the OWC from accessing other services (SSRF protection)
ipam:
driver: default # give OWC Internet access
To deploy the Open Web Calendar with docker compose, follow these steps:
- Copy the
docker-compose.ymlfile to the directory from where you want to run the container. - If needed change the port mapping and environment variables.
- Start the container:
docker compose up -d - The container will be pulled automatically from Dockerhub and then starts.
Growing log files
If you use this service, consider setting up log rotation as it is very talkative.
IPv6
By default, docker only uses IPv4. You can enable IPv6.
Update pre-build image with Docker Compose¶
If you want to update your image with the latest version from Dockerhub run this:
docker compose pull
Note: You need to restart the container after pulling in order for the update to apply:
docker compose up -d
Preventing SSRF Attacks¶
The Open Web Calendar by default allows unrestricted access to the local network and Internet. Adding a proxy to filter the requests is important, especially if you host other services which should be not accessed by external requests. Such an attack is called Server Side Request Forgery.
The Open Web Calendar can be configured to use a proxy to request .ics and other files. Filtering traffic is a complicated task and out of scope for this project. Proxies do that well better!
Preventing SSRF attacks using a Tor proxy¶
The following example shows the usage of a Tor proxy. You can try it out at tor.open-web-calendar.hosted.quelltext.eu.
version: '3'
services:
tor-open-web-calendar:
image: niccokunzmann/open-web-calendar:master
restart: unless-stopped
environment:
# use socks5h for *.onion
# see https://stackoverflow.com/a/42972942/1320237
- HTTP_PROXY=socks5h://tor-socks-proxy:9150
- HTTPS_PROXY=socks5h://tor-socks-proxy:9150
- ALL_PROXY=socks5h://tor-socks-proxy:9150
- ALLOWED_HOSTS=
# optional: create a private network so OWC cannot access the Internet directly
networks:
- no-internet-only-tor
# from https://hub.docker.com/r/peterdavehello/tor-socks-proxy/
tor-socks-proxy:
image: peterdavehello/tor-socks-proxy # use :test for arm64
restart: unless-stopped
# optional: allow access to OWC and the Internet
networks:
- default
- no-internet-only-tor
networks:
default:
ipam:
driver: default
no-internet-only-tor: # see https://stackoverflow.com/a/51964169/1320237
driver: bridge
internal: true
The configuration above prevents access to the internal network as the requests are sent over the Tor network. A bonus feature is that calendars can be accessed and hosted as a Tor Hidden Service using an .onion address. E.g. a calendar file can be served from a Raspberry Pi behind a home network’s firewall. This example calendar uses this onion address.
Vedi anche:
Preventing SSRF attacks using a Squid Proxy¶
The Squid proxy is a flexible and highly configurable proxy server. The Open Web Calendar can be configured to use it to request .ics and other files.
Use this as your docker-compose.yml file:
version: '3'
services:
open-web-calendar:
image: niccokunzmann/open-web-calendar
restart: unless-stopped
environment:
- HTTP_PROXY=http://squid-container:3128
- HTTPS_PROXY=http://squid-container:3128
- ALL_PROXY=http://squid-container:3128
# see https://hub.docker.com/r/ubuntu/squid
squid-container:
image: ubuntu/squid
environment:
- TZ=UTC
volumes:
- ./open-web-calendar.conf:/etc/squid/conf.d/00-open-web-calendar.conf
And add the following open-web-calendar.conf file into the same directory.
## Example rule to deny access to your local networks.
## Adapt to list your (internal) IP networks from where browsing
## should be allowed
acl owc_forbidden dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl owc_forbidden dst 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl owc_forbidden dst 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl owc_forbidden dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl owc_forbidden dst 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl owc_forbidden dst 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl owc_forbidden dst fc00::/7 # RFC 4193 local private network range
acl owc_forbidden dst fe80::/10 # RFC 4291 link-local (directly plugged) machines
## If the Open Web Calendar runs on another machine, not localhost (127.0.0.1),
## fill in the network or IP of that machine here and allow access from it.
# acl owc_host src 127.0.0.1 # Allow Access to Squid from localhost (default)
acl owc_host src 172.16.0.0/12 # Uncomment if you run the Open Web Calendar as a docker service
## Access from owc_host is allowed to all but forbidden networks
http_access allow owc_host !owc_forbidden
http_access deny all
## Use IPv4 for DNS
## See https://superuser.com/a/1443889
dns_v4_first on
Then, you can start the service with this command:
docker compose up -d
When you try to access a forbidden calendar with the local open-web-calendar, e.q. http://172.16.0.1/calendar.ics, you will see this error message:
403 Client Error: Forbidden for url: http://172.16.0.1/calendar.ics
Automatic Updates¶
If you have not fixed your version but you use the latest or master tag, you can automatically update all the services required.
Create an update.sh file next to your docker-compose.yml file and add this content:
#!/bin/bash
#
# update the services
#
cd "`dirname \"$0\"`"
docker compose pull
docker compose create
docker compose up -d --remove-orphans
# clean up
# see https://stackoverflow.com/a/46159681/1320237
docker system prune -a -f
docker rm -v $(docker ps -a -q -f status=exited)
docker rmi -f $(docker images -f "dangling=true" -q)
docker volume ls -qf dangling=true | xargs -r docker volume rm
Make update.sh executable.
chmod +x update.sh
Add a cron job to update everything at 3am daily (when there is an update). Run this as the user who has access to the docker command:
crontab -e
And add this line:
3 * * * * /path/to/update.sh 1> /path/to/update.sh.log 2> /path/to/update.sh.log
Ulteriore configurazione¶
Dopo aver configurato il tuo server, puoi configurarne il comportamento.