Calibre is a popular e-book cataloguing, reading, and sharing toolkit. It has an extensive collection of plugins that range from search to DRM removal tools. Using Python, you can write your own Calibre plugins.
Calibre is useful as both a stand-alone application run on a workstation (“run by an end user”) as well as a server offering remote clients access to the collection of books that are catalogued. This collection is called a “Calibre Library” and is essentially a directory whose files are solely managed by Calibre itself. (I.e., treat the Calibre Library folder as though it were a single file, not a folder. You should never have to
cd into the folder or
chmod files in it.)
- 1 Installing
- 2 Configuring
- 2.1 Long-running single Calibre server process
- 2.2 Socket-activated on-demand Calibre server process
- 3 Hardening
- 3.1 Network security
- 3.1.1 Restrict LAN access
- 3.1.2 Disable OPDS advertisements
- 3.1.3 Provide a TLS certificate
- 3.1.4 Use application-level user access control
- 3.2 Host-based security
- 4 Provisioning
On Debian-derived GNU/Linux systems, Calibre can be easily installed from the distribution’s package repositories:
sudo apt install calibre
In many cases, package repositories can be badly outdated. If you want a newer version of Calibre than is available in your Operating System distribution’s package archives, follow the Calibre developer’s instructions to download and install the software.
There are numerous different configurations in which Calibre can be used. This page describes the configurations useful for and familiar to the Tech Autonomy Infrastructure committee needs. Most of this information can also be found in various sections of Calibre’s own user manual.
Long-running single Calibre server process¶
This section describes configuring the
calibre-server binary with systemd to invoke a long-running single Calibre server process using the built-in Web server features of the Calibre software suite after Tor is available:
- Set up the Calibre user if installing Calibre did not already add such a user (use
getent passwd calibreto see if such a user has already been created):
sudo adduser --system --home /YOUR/CHOSEN/CALIBRE/HOME/FOLDER calibre
- Set up the systemd service:
sudo vim /etc/systemd/system/calibre.service
# FILE: /etc/systemd/system/calibre.service # # Calibre "Digital Library" boot-time startup script. # # This script is a systemd service unit that ensures # the calibre Web server is operational after Tor starts. # Without this process running, the digital library is # not available over a Web connection. Tor handles all # other parts of the network connection and connectivity. # [Unit] Description=Calibre eBook Management suite Web server After=tor.service [Service] User=calibre Group=nogroup UMask=0077 # Place other configuration options, if desired, in the invocation. For example: # --url-prefix=library --listen-on=127.0.0.1 --port=8888 ExecStart=/usr/bin/calibre-server --with-library="/PATH/TO/YOUR/Calibre Library" Restart=on-failure # Extra security precautions # Calibre is currently incompatible with `MemoryDenyWriteExecute=true`. :( #MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true PrivateUsers=true ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=full LockPersonality=true RestrictAddressFamilies=AF_INET RestrictRealtime=true [Install] WantedBy=multi-user.target
systemdto re-read its configuration files:
sudo systemctl daemon-reload
- Enable the Calibre service so that it runs atomatically during startup after the next reboot:
sudo systemctl enable calibre.service
- Manually start the Calibre service:
sudo systemctl start calibre.service
To test that this is working, check to see if Calibre is now bound to a listening network socket and accepting incoming requests:
sudo ss --listening --tcp --numeric --processes | grep calibre
LISTEN 0 5 *:8080 *:* users:(("calibre-server",pid=3925,fd=7))
The above sample output suggests Calibre is listening on its default Web port of
8080 for incoming connections from any remote computer, so you should be able to reach the Calibre server’s Web server at
http://YOUR.SERVER.IP.ADDRESS:8080/. This will expose your Calibre Library’s files to any computer connected to your LAN. If you want to further restrict access to the service, consider adding
--listen-on=127.0.0.1 to the
calibre-server invocation and then configuring an authenticated Onion service to actually expose the Calibre service to clients across an internetwork.
Socket-activated on-demand Calibre server process¶
If you intend to run Calibre as a service for other users, and especially if you configured Calibre yourself (as opposed to implementing one of the configurations described above) you should strongly consider taking additional security precautions to help ensure that it is as difficult as possible for attackers to exploit. This section describes a non-exhaustive guide to securing your Calibre server instance.
Restrict LAN access¶
Disable OPDS advertisements¶
--disable-use-bonjouroption; this will prevent
calibre-serverfrom registering an (m)DNS-SD advertisement to the LAN. This is important if you want to hide the Calibre server itself from the LAN and make it available only over a Tor connection, for example. In this case, you should use this option in conjunction with the
Provide a TLS certificate¶
--ssl-keyfileoptions. Be certain you understand the implications of identity correlation and possible de-anonymization attack vectors if you use both a TLS certificate and an Onion service before you add a TLS certificate to your Calibre server instance.
Use application-level user access control¶
--enable-authoption and its friends. Older Calibre versions can do this more crudely with their
--ban-foroptions to frustrate password guessing (bruteforce) attack attempts.
Newer versions of Calibre’s
calibre-server process do not perform access logging by default, but see the
--log options for more details. Older versions do perform access logging by default, and as they do not have the
--access-log option available, this logging cannot be easily disabled. If you have one of these older versions of Calibre, you should mitigate the risk of this default data collection by adding the following to
/etc/logrotate.d/calibre-server, which will ensure access logs are retained for no more than one day and are securely deleted (using
shred(1)) on each daily log rotation interval:
# This ensures that logrotate eradicates calibre's logfiles.
# There is no need to be logging who is accessing our library.
shred --remove /PATH/TO/YOUR/CHOSEN/CALIBRE_HOME/.config/calibre/server*log.txt.1
The Shift-CTRL Space group provides an Ansible role for provisioning a Calibre server that on a Raspberry Pi. It can be installed in your local
$ANSIBLE_ROLES_PATH (see Ansible Configuration Settings) for use with an Ansible project with:
ansible-galaxy install https://github.com/shiftctrlspace/ansible-role-calibre/archive/master.tar.gz