diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index c0c2f27a00ef..e9630d379f36 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -261,10 +261,7 @@ let
ssl_trusted_certificate ${vhost.sslTrustedCertificate};
''}
- ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''
- auth_basic secured;
- auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth};
- ''}
+ ${mkBasicAuth vhostName vhost}
${mkLocations vhost.locations}
@@ -293,9 +290,19 @@ let
${optionalString (config.return != null) "return ${config.return};"}
${config.extraConfig}
${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}
+ ${mkBasicAuth "sublocation" config}
}
'') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations)));
- mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" (
+
+ mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let
+ auth_file = if zone.basicAuthFile != null
+ then zone.basicAuthFile
+ else mkHtpasswd name zone.basicAuth;
+ in ''
+ auth_basic secured;
+ auth_basic_user_file ${auth_file};
+ '');
+ mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" (
concatStringsSep "\n" (mapAttrsToList (user: password: ''
${user}:{PLAIN}${password}
'') authDef)
diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix
index 3d9e391ecf20..f2fc07255725 100644
--- a/nixos/modules/services/web-servers/nginx/location-options.nix
+++ b/nixos/modules/services/web-servers/nginx/location-options.nix
@@ -9,6 +9,34 @@ with lib;
{
options = {
+ basicAuth = mkOption {
+ type = types.attrsOf types.str;
+ default = {};
+ example = literalExample ''
+ {
+ user = "password";
+ };
+ '';
+ description = ''
+ Basic Auth protection for a vhost.
+
+ WARNING: This is implemented to store the password in plain text in the
+ Nix store.
+ '';
+ };
+
+ basicAuthFile = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ description = ''
+ Basic Auth password file for a vhost.
+ Can be created via: htpasswd -c <filename> <username>.
+
+ WARNING: The generate file contains the users' passwords in a
+ non-cryptographically-securely hashed way.
+ '';
+ };
+
proxyPass = mkOption {
type = types.nullOr types.str;
default = null;
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
index 455854e2a965..cf211ea9a71b 100644
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -198,7 +198,7 @@ with lib;
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the
- nix store.
+ Nix store.
'';
};
@@ -207,7 +207,10 @@ with lib;
default = null;
description = ''
Basic Auth password file for a vhost.
- Can be created via: htpasswd -c <filename> <username>
+ Can be created via: htpasswd -c <filename> <username>.
+
+ WARNING: The generate file contains the users' passwords in a
+ non-cryptographically-securely hashed way.
'';
};
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 9ffeba27a7fe..4e4d8b5e6894 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -242,6 +242,7 @@ in
nfs4 = handleTest ./nfs { version = 4; };
nghttpx = handleTest ./nghttpx.nix {};
nginx = handleTest ./nginx.nix {};
+ nginx-auth = handleTest ./nginx-auth.nix {};
nginx-etag = handleTest ./nginx-etag.nix {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
diff --git a/nixos/tests/nginx-auth.nix b/nixos/tests/nginx-auth.nix
new file mode 100644
index 000000000000..c0d24a20ddbc
--- /dev/null
+++ b/nixos/tests/nginx-auth.nix
@@ -0,0 +1,47 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+ name = "nginx-auth";
+
+ nodes = {
+ webserver = { pkgs, lib, ... }: {
+ services.nginx = let
+ root = pkgs.runCommand "testdir" {} ''
+ mkdir "$out"
+ echo hello world > "$out/index.html"
+ '';
+ in {
+ enable = true;
+
+ virtualHosts.lockedroot = {
+ inherit root;
+ basicAuth.alice = "jane";
+ };
+
+ virtualHosts.lockedsubdir = {
+ inherit root;
+ locations."/sublocation/" = {
+ alias = "${root}/";
+ basicAuth.bob = "john";
+ };
+ };
+ };
+ };
+ };
+
+ testScript = ''
+ webserver.wait_for_unit("nginx")
+ webserver.wait_for_open_port(80)
+
+ webserver.fail("curl --fail --resolve lockedroot:80:127.0.0.1 http://lockedroot")
+ webserver.succeed(
+ "curl --fail --resolve lockedroot:80:127.0.0.1 http://alice:jane@lockedroot"
+ )
+
+ webserver.succeed("curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir")
+ webserver.fail(
+ "curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir/sublocation/index.html"
+ )
+ webserver.succeed(
+ "curl --fail --resolve lockedsubdir:80:127.0.0.1 http://bob:john@lockedsubdir/sublocation/index.html"
+ )
+ '';
+})