Merge branch 'master' into feat/approval-new

# Conflicts: # models/error.go # models/migrations/migrations.go # models/models.go # public/js/index.js
2018-05-19 18:17:01 +02:00 · 2018-05-19 18:17:01 +02:00 · a8dc699e74
commit a8dc699e74
parent e5bde1405f 81b4d38f01
251 changed files with 41347 additions and 145 deletions
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@ -272,6 +272,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `MAX_GIT_DIFF_FILES`: **100**: Max number of files shown in diff view.
 - `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`.

+## U2F (`U2F`)
+- `APP_ID`: **`ROOT_URL`**: Declares the facet of the application. Requires HTTPS.
+- `TRUSTED_FACETS`: List of additional facets which are trusted. This is not support by all browsers.
+
 ## Markup (`markup`)

 Gitea can support Markup using external tools. The example below will add a markup named `asciidoc`.
--- a/docs/content/doc/features/comparison.en-us.md
+++ b/docs/content/doc/features/comparison.en-us.md
@ -535,6 +535,15 @@ _Symbols used in table:_
      <td>✓</td>
      <td>✓</td>
    </tr>
+    <tr>
+      <td>FIDO U2F (2FA)</td>
+      <td>✓</td>
+      <td>✘</td>
+      <td>✓</td>
+      <td>✓</td>
+      <td>✓</td>
+      <td>✓</td>
+    </tr>
    <tr>
      <td>Webhook support</td>
      <td>✓</td>
--- a/docs/content/doc/usage/fail2ban-setup.md
+++ b/docs/content/doc/usage/fail2ban-setup.md
@ -0,0 +1,60 @@
+---
+date: "2018-05-11T11:00:00+02:00"
+title: "Usage: Setup fail2ban"
+slug: "fail2ban-setup"
+weight: 16
+toc: true
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Fail2ban setup"
+    weight: 16
+    identifier: "fail2ban-setup"
+---
+
+# Fail2ban setup to block users after failed login attemts
+
+**Remember that fail2ban is powerful and can cause lots of issues if you do it incorrectly, so make 
+sure to test this before relying on it so you don't lock yourself out.**
+
+Gitea returns an HTTP 200 for bad logins in the web logs, but if you have logging options on in 
+`app.ini`, then you should be able to go off of log/gitea.log, which gives you something like this 
+on a bad authentication:
+
+```log
+2018/04/26 18:15:54 [I] Failed authentication attempt for user from xxx.xxx.xxx.xxx
+```
+
+So we set our filter in `/etc/fail2ban/filter.d/gitea.conf`:
+
+```ini
+# gitea.conf
+[Definition]
+failregex =  .*Failed authentication attempt for .* from <HOST>
+ignoreregex =
+```
+
+And configure it in `/etc/fail2ban/jail.d/jail.local`:
+
+```ini
+[gitea]
+enabled = true
+port = http,https
+filter = gitea
+logpath = /home/git/gitea/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = iptables-allports
+```
+
+Make sure and read up on fail2ban and configure it to your needs, this bans someone 
+for **15 minutes** (from all ports) when they fail authentication 10 times in an hour.
+
+If you run Gitea behind a reverse proxy with nginx (for example with docker), you need to add
+this to your nginx configuration so that IPs don't show up as 127.0.0.1: 
+
+```
+proxy_set_header X-Real-IP $remote_addr;
+```