kresus

Liste des banques disponibles

Installation sur debian 10

INSTALLATION DE NODEJS

# Using Debian, as root
apt install curl wget make gcc g++ python3-pip sudo
curl -sL https://deb.nodesource.com/setup_current.x | bash -
apt-get install -y nodejs

INSTALLATION WEBOOB

mkdir /opt/kresus/
git clone https://git.weboob.org/weboob/weboob.git -b stable /opt/kresus/weboob
cd /opt/kresus/weboob
pip3 install .

Ajouter une tache cron qui vous permet de garder weboob à jour

23 23 * * * cd /opt/kresus/weboob && git pull origin master

Installation de Kresus

# Pour ma part la nightly est celle que j'ai pu installé.
npm install --production -g kresus@nightly

Installer la base de votre choix, postgres marche très bien pour ma part

Iniatialisation du fichier config

/usr/lib/node_modules/kresus/bin/kresus.js 'create:config' > /opt/kresus/config.ini

à vous de jouer pour le remplir

AJOUTER UN SERVICE KRESUS

vim /etc/systemd/system/kresus.service
[Unit]
Description=Gestionnaire de finances personnelles
After=network.target

[Service]
User=kresus
ExecStart=/usr/lib/node_modules/kresus/bin/kresus.js --config /opt/kresus/config.ini
Type=simple
Restart=always
StandardOutput=journal
StandardError=inherit

[Install]
WantedBy=multi-user.target

Adapter les chemins si besoin

RELANCER LES DAEMON, ACTIVER AU DÉMARRAGE ET DÉMARRER KRESUS

sudo systemctl daemon-reload
sudo systemctl enable kresus.service

Droits sur le répertoire

chown -R kresus:kresus /opt/kresus

Editer le vhost nginx

Pour le générer ave cles dernières préconisations : https://ssl-config.mozilla.org/

  • Remplacer les champs par vos valeurs
server {
    listen      80;
    server_name DOMAIN;
    return 301  https://DOMAIN$request_uri;
}

server {
    listen      443 ssl http2;
    server_name DOMAIN;

    auth_basic Authentication;
    auth_basic_user_file /etc/nginx/.kresus_htpasswd;

    # Let's Encrypt:
    ssl_certificate     /etc/letsencrypt/live/DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;

    # SSL configuration :
    #
    # More details to generate this file:
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/

    # drop SSLv3 (POODLE vulnerability)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    # enable session resumption to improve https performance
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

    ### force timeouts if one of backend is died ##
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

    ### Set headers ####
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    ### Most PHP, Python, Rails, Java App can use this header ###
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

    ### By default we don't want to redirect it ####
        proxy_redirect     off;

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    # 15768000 seconds = 6 months
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

    # LOGS
    gzip on;
    access_log /var/log/nginx/DOMAIN_access.log;
    error_log  /var/log/nginx/DOMAIN_error.log;

    location / {
        client_max_body_size  8M;
        send_timeout          600;
        proxy_connect_timeout 600;
        proxy_send_timeout    600;
        proxy_read_timeout    600;
        proxy_pass http://SOCKET; }
}

AJOUT D’UNE AUTHENTIFICATION D’ACCÈS

sudo htpasswd -c /etc/nginx/.kresus_htpasswd USER
  • ceci fera appel au petit bout de code dans le vhost :
    auth_basic Authentication;
    auth_basic_user_file /etc/nginx/.kresus_htpasswd;

TEST DE LA CONFIGURATION DE NGINX ET RELOAD

nginx -t
systemctl reload nginx

Cas d’une banque avec un niveau de sécurité bas

  • vous n’aurez pas le choix que de baisser le niveau de sécurité (ex: caisse d’épargne)
vim /etc/ssl/openssl.conf

On lance kresus

systemctl start kresus