Host your own doodles with jawanndenn

Thursday, March 14. 2019

For a website where event dates are offered to a group of users who need to find those dates that most users can attend, doodles are a good solution. There are well known providers for that sort of thing like doodle.com/, dudle.inf.tu-dresden.de/ or www.dfn.de/dienstleistungen/dfnterminplaner/, with the latter two offering better privacy for european users (no transfer of data to servers in the USA).

Still, hosting your very own service is an attractive alternative. For this there is jawanndenn.de/  which can be downloaded from github.com/hartwork/jawanndenn. It is a web application written in python by Sebastian Pipping, libre software.

Installation is easy with

pip install jawanndenn

and then run it from the command line with something like

jawanndenn --host your-domain.tld --port 23456  (the port is arbitrary).
navigate your browser to
https://your-domain.tld:23456 and create your first own poll.

You see the log entries written out on the console. This is nice for testing but to actually use jawanndenn you'll need something more stable than a manually started programm.

As my web server runs with apache this is how I did it:

- set up a subdomain dedicated for the application, like doodle.your-domain.tld

- get certificates for it from Let's Encrypt (i.e. using github.com/lukas2511/dehydrated )

- create a folder for document root of the new subdomain and put a file app.wsgi and a favicon.ico there, the former you'll find at github.com/hartwork/jawanndenn/blob/master/jawanndenn/app.wsgi , the latter can be done with touch as we won't see that icon anyways but it saves 404 log entries to have a file named like it.

- make sure that apache2 has mod_wsgi enabled

- set up a virtual host for it in apache2/sites-available. Example:

#
#
######################################
#  doodle.your-domain.tld
######################################
#
#

# subdomain dedicated for running the jawanndenn web application
# don't separate .conf and .common since this will lead to errors when both :80 and :443 try to set
# a WSGIDaemonProcess with the same name.
# Don't include processes=1 into the WSGIDaemonProcess definition for this will lead to errors "Single process needed"

<VirtualHost :80>
#       include sites-available/doodle.
your-domain.tld.common ## this won't do, see above
        ServerName doodle.
your-domain.tld


        WSGIDaemonProcess doodle user=web123 group=web123 threads=5
        WSGIScriptAlias / /var/www/web123/doodle/app.wsgi

    <Directory /var/www/web123/doodle>
        WSGIProcessGroup doodle
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
    </Directory>

   CustomLog /var/log/apache2/doodle.
your-domain.tld.access.log combined
   ErrorLog  /var/log/apache2/doodle.your-domain.tld.error.log

</VirtualHost>

<VirtualHost
:443>

ServerName doodle.your-domain.tld


    # supply a different name for the WSGIDaemonProcess on :443
    WSGIDaemonProcess doodler user=web123 group=web123 threads=5
    WSGIScriptAlias / /var/www/web123/doodle/app.wsgi

    <Directory /var/www/web123/doodle>
        WSGIProcessGroup doodler
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
    </Directory>

   CustomLog /var/log/apache2/doodle.your-domain.tld.access.log combined
   ErrorLog  /var/log/apache2/doodle.your-domain.tld.error.log


        SSLEngine on

        SSLCertificateFile      /etc/dehydrated/certs/
your-domain.tld/cert.pem
        SSLCertificateKeyFile   /etc/dehydrated/certs/
your-domain.tld/privkey.pem
        SSLCertificateChainFile /etc/dehydrated/certs/
your-domain.tld/chain.pem




</VirtualHost>

Now restart apache2, weed out typos and your done. You create new doodles from doodle.your-domain.tld,
make note of the handle of the new poll and embed it on a web site with an iframe like

<div class="dudel">
<iframe src="https://doodle.your-domain.tld/poll/a9108dcfa12006ce3c229d6f0110c5f976df14e963ddd9b7ffc8618013a0bd7e"
        width="100%" height="600" frameborder="0"
        allowfullscreen >
  <p> <a href="https://developer.mozilla.org/en-US/docs/Glossary">
    Fallback link for browsers that don't support iframes
  </a> </p>
</iframe>
<div>

 

I had no luck trying to use sandbox with the iframe, YMMV

 

Now, is that secure?
Depends.

Do a little exploration with the 'View Web Source' feature of your browser to see all the relevant URIs and handles visible in plain text. Who ever gets to that page with the doodles can do shyte like

  • create 'unofficial' doddle polls
  • post spam as the name of a doodle
  • what the heck

Thus, we do have the security feature of 'data never leave my own site'. Which is cool.
All the rest of your desired security you will have to provide on your own.
 

Now, can I edit a vote? As it comes jawanndenn does not support any editing of votes which is regarded a security feature but makes doodles pretty useless in real life cause people do change opinion all the time. You cannot manually edit the stored votes cause they are stored in a binary format that's hard to access.

What you can do is add that functionality by yoursel like modify the vote() method of the _Poll object to replace the prior vote with the new vote if the name is exactly the same. 

 

Debian 9.2

Apache/2.4.25 (Debian)
Nextcloud 12.0.3
 
https://github.com/husisusi/officeonlin-install.sh/blob/master/README.md
https://github.com/husisusi/officeonlin-install.sh/issues/135
 
mkdir a folder for the script, clone or download the .zip
open officeonline-install.cfg with an editor and adapt the POCO parameters like ExaconAT shared it in the issue 135 (link above)
 
let the script run (started it w/o any parameters). It took about 80 min on my box.
I had to restart the script once because it complained over an inconsistency in /etc/group which needed to be fixed first. After restart the script managed to resume where it had stopped before.
 
created a subdomain for the lool (LibreOffice OnLine) to run in in DNS, a valid certificate for https, a virtual host config to tell apache how to proxy. Check that Apache has the required modules enabled:
proxy_wstunnel proxy proxy_http ssl
 
For the latter I used the example Nextcloud recommends in https://nextcloud.com/collaboraonline/ and this was a source of problems later. It took me hours of try and error & recherche to learn that all the ProxyPassReverse lines need to have a trailing slash at the end of the right hand argument. The relevant bit of the config I use is:
 
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet/

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery/

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool/
 
The script creates a self signed certificate for lool in /etc/loolwsd
This is not helpful when things do not work at once because chrome and firefox are so very strict against self signed certs and any direct tests of the lool subdomain and the virtual host there are hindered. I got around this by changing the path to the certificate (cert, ca-chain privkey) to point at my valid cert by edit in /opt/online/loolwsd.xml. An increased log level here and file enable="true" are other useful settings here. 
 
Things look fine when https://lool.domain.tld:9980 results in an empty page with ok and https://lool.domain.tld:9980/hosting/discovery returns an xml of wopi discovery. If the latter gives a 500 then the proxy config may be the reason.
 
In nextcloud admin Collabora Online the entry is https://lool.domain.tld:9980 - during my recherche I found several discussions with recommendations to not include the port, but this only adds another error.
 
Sources of error messages included nextcloud admin logging (connection refused as long as the proxying doesnt work), /var/log/loolwsd.log (needs log level increased and file enabled) and of course the messages of systemctl status  loolwsd and systemctl status apache2
 
 
 
(Page 1 of 1, totaling 2 entries)