🔥 Holiday Sale! 25% Off Platinum Membership and up to 50% Off on Deployarr (ends December 31).

5 Simple steps to secure TT-RSS reader

We recently presented Tiny Tiny RSS to you as a great alternative to Google reader, which is one more way you can extend the functionality of your home server or your hosting space. Hopefully, you already exported your data from Google Reader. In this post, we will show you how to secure TT-RSS reader to prevent unauthorized access. Tiny Tiny RSS is an open source web-based news feed (RSS/Atom) reader and aggregator, designed to allow you to read news from any location, while feeling as close to a real desktop application as possible. As we previously explained, it makes an ideal candidate to replace Google Reader. While there are services like Feedly and Newsblur grabbing the crowd Google Reader, which some of you may prefer, there are a group of people who would like to run a RSS reader on their own server and keep things private. Assuming that you have already installed Tiny Tiny RSS on your alternative to Google reader or hosting space, we will now show you how to secure TT-RSS reader.

Secure TT-RSS Reader

One of the main reasons to move to an RSS aggregator like TT-RSS is maintaining your privacy. So if you do not secure TT-RSS reader well you are not only making your data available public but also making your system vulnerable to potential attacks. Choosing a strong username and password while setting your TT-RSS is the first basic thing that you can do to secure TT-RSS reader. Listed below are few more ways you can increase TT-RSS reader's security.

1. Rename TT-RSS Folder

One of the first lines of defense is to not use tt-rss in your URL to access your TT-RSS reader. To do this on your hosting account, use a folder name other than tt-rss while installing TT-RSS. On your Linux home server, edit /etc/tt-rss/apache.conf and change the first /tt-rss to something else. An example is shown below.

Tt-Rss Rename Url
Tt-Rss Rename Url

After making the change, restart your TT-RSS and Apache to apply the changes:

sudo service tt-rss restart
sudo serivce apache2 reload

Your TT-RSS reader is now available through the new URL (example: http://mydomain.com/myreader) only.

2. Enable SSL

Accessing TT-RSS through http sends all information as unencrypted data. This could mean less privacy due to potential sniffing. The solution is to encrypt the data during transfer, which makes sniffing by hackers harder. To enable and enforce HTTPS access on Linux servers with Apache, install the following run-time libraries:

sudo apt-get install libssl0.9.8 libpam0g openssl

Restart your Apache server as shown above. You should now be able to access your TT-RSS reader with HTTPS. Note that you may have to have a SSL certificate generated. Refer to Apache documentation if you want to generate your own certificate. By default, the system will install self-signed certificates for you. These certificates are likely to raise warnings when you point your browser to the site.

3. Disable Single User Mode

By default the single user mode is already disabled (in /etc/tt-rss/config.php). Enabling single user mode will also disable TT-RSS login system. Therefore, keep the single user mode disabled.

Disable Single User Mode
Disable Single User Mode

A better way to make it a single user system is by limiting the number of registrations to 1 as described below. For whatever reason, you still want to enable single user mode, make sure you implement Apache Authentication method described below.

4. Self Registrations

Self registrations allow a visitor to register themselves, which could reduce TT-RSS security. If your TT-RSS will be for personal use only, then you may want to disable user registration by setting "ENABLE_REGISTRATION" to "false".

Tt-Rss Self Registrations
Tt-Rss Self Registrations

To further secure TT-RSS Reader, uou may also want to change "REG_MAX_USERS" to "1" to make your account the only account on TT-RSS.

Asus Ac68UASUS (RT-AC68U) Wireless-AC1900 Dual-Band Gigabit Router Asus Ac68U ReviewsFind out why it is rated the best wireless router in its class.

5. Apache Authentication

Last but not the least, enable Authentication. This is even more important if you have enabled "Single User Mode" describe above. Every time you access TT-RSS, you will be asked for a username and password as shown in the picture below:

Secure Tt-Rss Reader

On your hosting account this equivalent to password protecting a directory, in this case the TT-RSS directory. To do this on your Ubuntu server, you will have to create a .htpasswd file. More information is available in Apache documentation. But the easiest way to achieve this is to use one of the htpasswd generators available online.

After you enter the username and password two code blocks will be generated. Copy the contents of the .htpasswd code block and save it to /etc/apache2/.htpasswd_ttrss. Next, copy the contents of the .htaccess code block and add it to /etc/tt-rss/apache.conf as shown below:

Tt-Rss Apache Authentication
Tt-Rss Apache Authentication

Save and exit. Restart both TT-RSS and Apache previous shown above. You should be prompted for a password every time you try to access TT-RSS. Some may think that this double authentication method is an extra inconvenience. But I would rather be safe than sorry.

Go ahead, secure Tiny Tiny RSS Reader and enjoy reading articles on your private secure RSS Reader.

Be the 1 in 200,000. Help us sustain what we do.
125 / 150 by Dec 31, 2024
You will gain benefits such as Deployarr access, discord roles, exclusive content, ad-free browsing, and more.
🔥 Holiday Sale! 25% Off Platinum Membership $399.99 $299.99 (ends December 31).
Join the Geek Army (starting from just $1.67/month)

Anand

Anand is a self-learned computer enthusiast, hopeless tinkerer (if it ain't broke, fix it), a part-time blogger, and a Scientist during the day. He has been blogging since 2010 on Linux, Ubuntu, Home/Media/File Servers, Smart Home Automation, and related HOW-TOs.

Holiday Sale