movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge pull request #101192 from grahamc/nixpkgs-location-basic-auth

Browse source 
nginx: support basic auth in location blocks
This commit is contained in:
Graham Christensen 2020-11-02 09:44:54 -05:00 committed by GitHub
commit 75a2bc94fa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 93 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -261,10 +261,7 @@ let
ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ssl_trusted_certificate ${vhost.sslTrustedCertificate};
''} ''}
${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' ${mkBasicAuth vhostName vhost}
auth_basic secured;
auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth};
''}
${mkLocations vhost.locations} ${mkLocations vhost.locations}
@ -293,9 +290,19 @@ let
${optionalString (config.return != null) "return ${config.return};"} ${optionalString (config.return != null) "return ${config.return};"}
${config.extraConfig} ${config.extraConfig}
${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"} ${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}
${mkBasicAuth "sublocation" config}
} }
'') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations))); '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations)));
mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" (
mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let
auth_file = if zone.basicAuthFile != null
then zone.basicAuthFile
else mkHtpasswd name zone.basicAuth;
in ''
auth_basic secured;
auth_basic_user_file ${auth_file};
'');
mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" (
concatStringsSep "\n" (mapAttrsToList (user: password: '' concatStringsSep "\n" (mapAttrsToList (user: password: ''
${user}:{PLAIN}${password} ${user}:{PLAIN}${password}
'') authDef) '') authDef)

28
nixos/modules/services/web-servers/nginx/location-options.nix
View file

@ -9,6 +9,34 @@ with lib;
{ {
options = { options = {
basicAuth = mkOption {
type = types.attrsOf types.str;
default = {};
example = literalExample ''
{
user = "password";
};
'';
description = ''
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the
Nix store.
'';
};
basicAuthFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Basic Auth password file for a vhost.
Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>.
WARNING: The generate file contains the users' passwords in a
non-cryptographically-securely hashed way.
'';
};
proxyPass = mkOption { proxyPass = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;

7
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -198,7 +198,7 @@ with lib;
Basic Auth protection for a vhost. Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the WARNING: This is implemented to store the password in plain text in the
nix store. Nix store.
''; '';
}; };
@ -207,7 +207,10 @@ with lib;
default = null; default = null;
description = '' description = ''
Basic Auth password file for a vhost. Basic Auth password file for a vhost.
Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command> Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>.
WARNING: The generate file contains the users' passwords in a
non-cryptographically-securely hashed way.
''; '';
}; };

1
nixos/tests/all-tests.nix
View file

@ -242,6 +242,7 @@ in
nfs4 = handleTest ./nfs { version = 4; }; nfs4 = handleTest ./nfs { version = 4; };
nghttpx = handleTest ./nghttpx.nix {}; nghttpx = handleTest ./nghttpx.nix {};
nginx = handleTest ./nginx.nix {}; nginx = handleTest ./nginx.nix {};
nginx-auth = handleTest ./nginx-auth.nix {};
nginx-etag = handleTest ./nginx-etag.nix {}; nginx-etag = handleTest ./nginx-etag.nix {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {}; nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};

47
nixos/tests/nginx-auth.nix Normal file
View file

@ -0,0 +1,47 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "nginx-auth";
nodes = {
webserver = { pkgs, lib, ... }: {
services.nginx = let
root = pkgs.runCommand "testdir" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'';
in {
enable = true;
virtualHosts.lockedroot = {
inherit root;
basicAuth.alice = "jane";
};
virtualHosts.lockedsubdir = {
inherit root;
locations."/sublocation/" = {
alias = "${root}/";
basicAuth.bob = "john";
};
};
};
};
};
testScript = ''
webserver.wait_for_unit("nginx")
webserver.wait_for_open_port(80)
webserver.fail("curl --fail --resolve lockedroot:80:127.0.0.1 http://lockedroot")
webserver.succeed(
"curl --fail --resolve lockedroot:80:127.0.0.1 http://alice:jane@lockedroot"
)
webserver.succeed("curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir")
webserver.fail(
"curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir/sublocation/index.html"
)
webserver.succeed(
"curl --fail --resolve lockedsubdir:80:127.0.0.1 http://bob:john@lockedsubdir/sublocation/index.html"
)
'';
})