Merge pull request #101192 from grahamc/nixpkgs-location-basic-auth
nginx: support basic auth in location blocks
This commit is contained in:
commit
75a2bc94fa
@ -261,10 +261,7 @@ let
|
||||
ssl_trusted_certificate ${vhost.sslTrustedCertificate};
|
||||
''}
|
||||
|
||||
${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''
|
||||
auth_basic secured;
|
||||
auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth};
|
||||
''}
|
||||
${mkBasicAuth vhostName vhost}
|
||||
|
||||
${mkLocations vhost.locations}
|
||||
|
||||
@ -293,9 +290,19 @@ let
|
||||
${optionalString (config.return != null) "return ${config.return};"}
|
||||
${config.extraConfig}
|
||||
${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}
|
||||
${mkBasicAuth "sublocation" config}
|
||||
}
|
||||
'') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations)));
|
||||
mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" (
|
||||
|
||||
mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let
|
||||
auth_file = if zone.basicAuthFile != null
|
||||
then zone.basicAuthFile
|
||||
else mkHtpasswd name zone.basicAuth;
|
||||
in ''
|
||||
auth_basic secured;
|
||||
auth_basic_user_file ${auth_file};
|
||||
'');
|
||||
mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" (
|
||||
concatStringsSep "\n" (mapAttrsToList (user: password: ''
|
||||
${user}:{PLAIN}${password}
|
||||
'') authDef)
|
||||
|
@ -9,6 +9,34 @@ with lib;
|
||||
|
||||
{
|
||||
options = {
|
||||
basicAuth = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
example = literalExample ''
|
||||
{
|
||||
user = "password";
|
||||
};
|
||||
'';
|
||||
description = ''
|
||||
Basic Auth protection for a vhost.
|
||||
|
||||
WARNING: This is implemented to store the password in plain text in the
|
||||
Nix store.
|
||||
'';
|
||||
};
|
||||
|
||||
basicAuthFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Basic Auth password file for a vhost.
|
||||
Can be created via: <command>htpasswd -c <filename> <username></command>.
|
||||
|
||||
WARNING: The generate file contains the users' passwords in a
|
||||
non-cryptographically-securely hashed way.
|
||||
'';
|
||||
};
|
||||
|
||||
proxyPass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
|
@ -198,7 +198,7 @@ with lib;
|
||||
Basic Auth protection for a vhost.
|
||||
|
||||
WARNING: This is implemented to store the password in plain text in the
|
||||
nix store.
|
||||
Nix store.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -207,7 +207,10 @@ with lib;
|
||||
default = null;
|
||||
description = ''
|
||||
Basic Auth password file for a vhost.
|
||||
Can be created via: <command>htpasswd -c <filename> <username></command>
|
||||
Can be created via: <command>htpasswd -c <filename> <username></command>.
|
||||
|
||||
WARNING: The generate file contains the users' passwords in a
|
||||
non-cryptographically-securely hashed way.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -242,6 +242,7 @@ in
|
||||
nfs4 = handleTest ./nfs { version = 4; };
|
||||
nghttpx = handleTest ./nghttpx.nix {};
|
||||
nginx = handleTest ./nginx.nix {};
|
||||
nginx-auth = handleTest ./nginx-auth.nix {};
|
||||
nginx-etag = handleTest ./nginx-etag.nix {};
|
||||
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
|
||||
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
|
||||
|
47
nixos/tests/nginx-auth.nix
Normal file
47
nixos/tests/nginx-auth.nix
Normal file
@ -0,0 +1,47 @@
|
||||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "nginx-auth";
|
||||
|
||||
nodes = {
|
||||
webserver = { pkgs, lib, ... }: {
|
||||
services.nginx = let
|
||||
root = pkgs.runCommand "testdir" {} ''
|
||||
mkdir "$out"
|
||||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.lockedroot = {
|
||||
inherit root;
|
||||
basicAuth.alice = "jane";
|
||||
};
|
||||
|
||||
virtualHosts.lockedsubdir = {
|
||||
inherit root;
|
||||
locations."/sublocation/" = {
|
||||
alias = "${root}/";
|
||||
basicAuth.bob = "john";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
webserver.wait_for_unit("nginx")
|
||||
webserver.wait_for_open_port(80)
|
||||
|
||||
webserver.fail("curl --fail --resolve lockedroot:80:127.0.0.1 http://lockedroot")
|
||||
webserver.succeed(
|
||||
"curl --fail --resolve lockedroot:80:127.0.0.1 http://alice:jane@lockedroot"
|
||||
)
|
||||
|
||||
webserver.succeed("curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir")
|
||||
webserver.fail(
|
||||
"curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir/sublocation/index.html"
|
||||
)
|
||||
webserver.succeed(
|
||||
"curl --fail --resolve lockedsubdir:80:127.0.0.1 http://bob:john@lockedsubdir/sublocation/index.html"
|
||||
)
|
||||
'';
|
||||
})
|
Loading…
Reference in New Issue
Block a user