add a new reverse_proxy option to allow serving app without a reverse proxy

burpui/app.py

@@ -183,8 +183,7 @@ def create_celery(myapp, warn=True):
     return None
 
 
-def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
-               unittest=False, debug=False, cli=False):
+def create_app(conf=None, verbose=0, logfile=None, **kwargs):
     """Initialize the whole application.
 
     :param conf: Configuration file to use
@@ -196,21 +195,20 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
     :param logfile: Store the logs in the given file
     :type logfile: str
 
-    :param gunicorn: Enable gunicorn engine instead of flask's default
-    :type gunicorn: bool
-
-    :param unittest: Are we running tests (used for test only)
-    :type unittest: bool
-
-    :param debug: Enable debug mode
-    :type debug: bool
-
-    :param cli: Are we running the CLI
-    :type cli: bool
+    :param kwargs: Extra options:
+                   - gunicorn (bool): Enable gunicorn engine instead of flask's
+                     default. Default is True.
+                   - unittest (bool): Are we running tests (used for test only).
+                     Default is False.
+                   - debug (bool): Enable debug mode. Default is False.
+                   - cli (bool): Are we running the CLI. Default is False.
+                   - reverse_proxy (bool): Are we behind a reverse-proxy.
+                     Default is True if gunicorn is True
+    :type kwargs: dict
 
     :returns: A :class:`burpui.server.BUIServer` object
     """
-    from flask import g
+    from flask import g, request
     from flask_login import LoginManager
     from flask_bower import Bower
     from flask_babel import gettext
@@ -224,6 +222,12 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
 
     logger = logging.getLogger('burp-ui')
 
+    gunicorn = kwargs.get('gunicorn', True)
+    unittest = kwargs.get('unittest', False)
+    debug = kwargs.get('debug', False)
+    cli = kwargs.get('cli', False)
+    reverse_proxy = kwargs.get('reverse_proxy', gunicorn)
+
     # The debug argument used to be a boolean so we keep supporting this format
     if isinstance(verbose, bool):
         if verbose:
@@ -282,7 +286,9 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
         'logfile: {}\n'.format(logfile) +
         'gunicorn: {}\n'.format(gunicorn) +
         'debug: {}\n'.format(debug) +
-        'unittest: {}'.format(unittest)
+        'unittest: {}\n'.format(unittest) +
+        'cli: {}\n'.format(cli) +
+        'reverse_proxy: {}'.format(reverse_proxy)
     )
 
     if not unittest:
@@ -345,9 +351,8 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
 
     app.wsgi_app = ReverseProxied(app.wsgi_app, app)
 
-    # Manage gunicorn special tricks & improvements
-    if gunicorn:  # pragma: no cover
-        logger.info('Using gunicorn')
+    # Manage reverse_proxy special tricks & improvements
+    if reverse_proxy:  # pragma: no cover
         from werkzeug.contrib.fixers import ProxyFix
 
         app.wsgi_app = ProxyFix(app.wsgi_app)
@@ -484,6 +489,16 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
     bower = Bower()
     bower.init_app(app)
 
+    def _check_session(user, request):
+        if user and not session_manager.session_in_db():
+            login = getattr(user, 'name', None)
+            if login:
+                session_manager.store_session(
+                    login,
+                    request.remote_addr,
+                    request.headers.get('User-Agent')
+                )
+
     @app.before_request
     def setup_request():
         g.locale = get_locale()
@@ -501,14 +516,18 @@ def create_app(conf=None, verbose=0, logfile=None, gunicorn=True,
     def load_user(userid):
         """User loader callback"""
         if app.auth != 'none':
-            return app.uhandler.user(userid)
+            user = app.uhandler.user(userid)
+            _check_session(user, request)
+            return user
         return None
 
     @app.login_manager.request_loader
     def load_user_from_request(request):
         """User loader from request callback"""
         if app.auth != 'none':
-            return basic_login_from_request(request, app)
+            user = basic_login_from_request(request, app)
+            _check_session(user, request)
+            return user
 
     @app.after_request
     def after_request(response):

contrib/systemd/bui-agent.service

@@ -5,6 +5,7 @@ After=network.target
 [Service]
 ExecStart=/usr/local/bin/bui-agent
 User=burpui
+Group=burpui
 
 [Install]
 WantedBy=multi-user.target

contrib/systemd/bui-gunicorn.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Burp-UI gunicorn service
+After=network.target
+
+[Service]
+User=burpui
+Group=burpui
+ExecStart=/usr/local/bin/gunicorn -c /etc/burp/burpui_gunicorn.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
+
+[Install]
+WantedBy=multi-user.target

docs/gunicorn.rst

@@ -27,6 +27,7 @@ can play with:
 - conf: Path to the `Burp-UI`_ configuration file
 - verbose: Verbosity level between 0 and 4
 - logfile: Path to a logfile in order to log `Burp-UI`_ internal messages
+- reverse_proxy: Whether we are behind a reverse-proxy or not (defaults to True)
 
 .. warning:: You **MUST** set the *appsecret* option in your configuration
              file when using gunicorn.
@@ -41,13 +42,13 @@ Advanced usage
 `Gunicorn`_ supports further settings (see its `documentation
 <http://docs.gunicorn.org/en/stable/>`_ for details).
 For instance, you would probably like to use the ``-c`` flag with the sample
-configuration file bundled with `Burp-UI`_ in *contrib/gunicorn/burpui_config.py*.
+configuration file bundled with `Burp-UI`_ in *contrib/gunicorn/burpui_gunicorn.py*.
 
 Usage example:
 
 ::
 
-    gunicorn -c burpui_config.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
+    gunicorn -c burpui_gunicorn.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
 
 
 Daemon
@@ -56,24 +57,13 @@ Daemon
 If you wish to run `Burp-UI`_ as a daemon process, the recommanded way is to use
 `Gunicorn`_.
 
-When installing the *gunicorn* package on debian, there is a handler script that
-is able to start several instances of `Gunicorn`_ as daemons.
+Requirements
+^^^^^^^^^^^^
 
-All you need to do is installing the *gunicorn* package and adding a
-configuration file in */etc/gunicorn.d/*.
-
-There is a sample configuration file available
-`here <https://git.ziirish.me/ziirish/burp-ui/blob/master/contrib/gunicorn.d/burp-ui>`__.
-
-If you are using this sample configuration file, make sure to create the
-*burpui* user with the appropriate permissions first:
+First of all, you'll need a dedicated user.
 
 ::
 
-    # install the gunicorn package
-    apt-get install gunicorn
-    # copy the gunicorn sample configuration
-    cp /usr/local/share/burpui/contrib/gunicorn.d/burp-ui /etc/gunicorn.d/
     # create the burpui user
     useradd -m -r -d /var/lib/burpui -c 'Burp-UI daemon user' burpui
     mkdir /etc/burp
@@ -124,12 +114,7 @@ Now you need to add the *bui-agent1* client to the authorized clients:
 
 
 Finally, make sure you set ``bconfcli: /var/lib/burpui/burp.conf`` in your 
-`Burp-UI`_ configuration filei (*/etc/burp/burpui.cfg*), and then you can
-restart `Gunicorn`_:
-
-::
-
-    service gunicorn restart
+`Burp-UI`_ configuration file (*/etc/burp/burpui.cfg*).
 
 
 If you want to take advantage of *advanced* features such as client add/removal
@@ -158,6 +143,59 @@ Finally you can restart your ``burp-server``.
 .. note:: The above commands are meant for *default* setup. You may need to
           adapt the paths.
 
+
+Debian-style
+^^^^^^^^^^^^
+
+When installing the *gunicorn* package on debian, there is a handler script that
+is able to start several instances of `Gunicorn`_ as daemons.
+
+All you need to do is installing the *gunicorn* package and adding a
+configuration file in */etc/gunicorn.d/*.
+
+There is a sample configuration file available
+`here <https://git.ziirish.me/ziirish/burp-ui/blob/master/contrib/gunicorn.d/burp-ui>`__.
+
+::
+
+    # install the gunicorn package
+    apt-get install gunicorn
+    # copy the gunicorn sample configuration
+    cp /usr/local/share/burpui/contrib/gunicorn.d/burp-ui /etc/gunicorn.d/
+    # now restart gunicorn
+    service gunicorn restart
+
+
+Systemd
+^^^^^^^
+
+On non debian systems, the handler script may not be available. You will then
+have to create your own service. We can do this for systemd for example:
+
+::
+
+    # copy the gunicorn configuration file
+    cp /usr/local/share/contrib/gunicorn/burpui_gunicorn.py /etc/burp/
+    # create the service file
+    cat >/etc/systemd/service/bui-gunicorn.service<<EOF
+    [Unit]
+    Description=Burp-UI gunicorn service
+    After=network.target
+
+    [Service]
+    User=burpui
+    Group=burpui
+    ExecStart=/usr/local/bin/gunicorn -c /etc/burp/burpui_gunicorn.py 'burpui:create_app(conf="/etc/burp/burpui.cfg",logfile="/var/log/gunicorn/burp-ui_info.log")'
+
+    [Install]
+    WantedBy=multi-user.target
+    EOF
+    # enable the new service
+    systemctl enable bui-gunicorn.service
+    # start the service
+    systemctl start bui-gunicorn.service
+
+
 Reverse-Proxy
 -------------