pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #101192 from grahamc/nixpkgs-location-basic-auth

nginx: support basic auth in location blocks

Graham Christensen 75a2bc94 0eb5f022

options
unified split
Changed files
+93 -7
nixos
modules
services
web-servers
nginx
default.nix
location-options.nix
vhost-options.nix
tests
all-tests.nix
nginx-auth.nix
+12 -5
nixos/modules/services/web-servers/nginx/default.nix 
···

       
261

       
261

       
 

       
            ssl_trusted_certificate ${vhost.sslTrustedCertificate};


     

       
262

       
262

       
 

       
          ''}


     

       
263

       
263

       
 

       



     

       
264

       

       
-

       
          ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''


     

       
265

       

       
-

       
            auth_basic secured;


     

       
266

       

       
-

       
            auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth};


     

       
267

       

       
-

       
          ''}


     

       

       
264

       
+

       
          ${mkBasicAuth vhostName vhost}


     

       
268

       
265

       
 

       



     

       
269

       
266

       
 

       
          ${mkLocations vhost.locations}


     

       
270

       
267

       
 

       



     
···

       
293

       
290

       
 

       
      ${optionalString (config.return != null) "return ${config.return};"}


     

       
294

       
291

       
 

       
      ${config.extraConfig}


     

       
295

       
292

       
 

       
      ${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}


     

       

       
293

       
+

       
      ${mkBasicAuth "sublocation" config}


     

       
296

       
294

       
 

       
    }


     

       
297

       
295

       
 

       
  '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations)));


     

       
298

       

       
-

       
  mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" (


     

       

       
296

       
+

       



     

       

       
297

       
+

       
  mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let


     

       

       
298

       
+

       
    auth_file = if zone.basicAuthFile != null


     

       

       
299

       
+

       
      then zone.basicAuthFile


     

       

       
300

       
+

       
      else mkHtpasswd name zone.basicAuth;


     

       

       
301

       
+

       
  in ''


     

       

       
302

       
+

       
    auth_basic secured;


     

       

       
303

       
+

       
    auth_basic_user_file ${auth_file};


     

       

       
304

       
+

       
  '');


     

       

       
305

       
+

       
  mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" (


     

       
299

       
306

       
 

       
    concatStringsSep "\n" (mapAttrsToList (user: password: ''


     

       
300

       
307

       
 

       
      ${user}:{PLAIN}${password}


     

       
301

       
308

       
 

       
    '') authDef)
+28
nixos/modules/services/web-servers/nginx/location-options.nix 
···

       
9

       
9

       
 

       



     

       
10

       
10

       
 

       
{


     

       
11

       
11

       
 

       
  options = {


     

       

       
12

       
+

       
    basicAuth = mkOption {


     

       

       
13

       
+

       
      type = types.attrsOf types.str;


     

       

       
14

       
+

       
      default = {};


     

       

       
15

       
+

       
      example = literalExample ''


     

       

       
16

       
+

       
        {


     

       

       
17

       
+

       
          user = "password";


     

       

       
18

       
+

       
        };


     

       

       
19

       
+

       
      '';


     

       

       
20

       
+

       
      description = ''


     

       

       
21

       
+

       
        Basic Auth protection for a vhost.


     

       

       
22

       
+

       



     

       

       
23

       
+

       
        WARNING: This is implemented to store the password in plain text in the


     

       

       
24

       
+

       
        Nix store.


     

       

       
25

       
+

       
      '';


     

       

       
26

       
+

       
    };


     

       

       
27

       
+

       



     

       

       
28

       
+

       
    basicAuthFile = mkOption {


     

       

       
29

       
+

       
      type = types.nullOr types.path;


     

       

       
30

       
+

       
      default = null;


     

       

       
31

       
+

       
      description = ''


     

       

       
32

       
+

       
        Basic Auth password file for a vhost.


     

       

       
33

       
+

       
        Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>.


     

       

       
34

       
+

       



     

       

       
35

       
+

       
        WARNING: The generate file contains the users' passwords in a


     

       

       
36

       
+

       
        non-cryptographically-securely hashed way.


     

       

       
37

       
+

       
      '';


     

       

       
38

       
+

       
    };


     

       

       
39

       
+

       



     

       
12

       
40

       
 

       
    proxyPass = mkOption {


     

       
13

       
41

       
 

       
      type = types.nullOr types.str;


     

       
14

       
42

       
 

       
      default = null;
+5 -2
nixos/modules/services/web-servers/nginx/vhost-options.nix 
···

       
198

       
198

       
 

       
        Basic Auth protection for a vhost.


     

       
199

       
199

       
 

       



     

       
200

       
200

       
 

       
        WARNING: This is implemented to store the password in plain text in the


     

       
201

       

       
-

       
        nix store.


     

       

       
201

       
+

       
        Nix store.


     

       
202

       
202

       
 

       
      '';


     

       
203

       
203

       
 

       
    };


     

       
204

       
204

       
 

       



     
···

       
207

       
207

       
 

       
      default = null;


     

       
208

       
208

       
 

       
      description = ''


     

       
209

       
209

       
 

       
        Basic Auth password file for a vhost.


     

       
210

       

       
-

       
        Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>


     

       

       
210

       
+

       
        Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>.


     

       

       
211

       
+

       



     

       

       
212

       
+

       
        WARNING: The generate file contains the users' passwords in a


     

       

       
213

       
+

       
        non-cryptographically-securely hashed way.


     

       
211

       
214

       
 

       
      '';


     

       
212

       
215

       
 

       
    };


     

       
213

       
216
+1
nixos/tests/all-tests.nix 
···

       
242

       
242

       
 

       
  nfs4 = handleTest ./nfs { version = 4; };


     

       
243

       
243

       
 

       
  nghttpx = handleTest ./nghttpx.nix {};


     

       
244

       
244

       
 

       
  nginx = handleTest ./nginx.nix {};


     

       

       
245

       
+

       
  nginx-auth = handleTest ./nginx-auth.nix {};


     

       
245

       
246

       
 

       
  nginx-etag = handleTest ./nginx-etag.nix {};


     

       
246

       
247

       
 

       
  nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};


     

       
247

       
248

       
 

       
  nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
+47
nixos/tests/nginx-auth.nix 
···

       

       
1

       
+

       
import ./make-test-python.nix ({ pkgs, ... }: {


     

       

       
2

       
+

       
  name = "nginx-auth";


     

       

       
3

       
+

       



     

       

       
4

       
+

       
  nodes = {


     

       

       
5

       
+

       
    webserver = { pkgs, lib, ... }: {


     

       

       
6

       
+

       
      services.nginx = let


     

       

       
7

       
+

       
        root = pkgs.runCommand "testdir" {} ''


     

       

       
8

       
+

       
          mkdir "$out"


     

       

       
9

       
+

       
          echo hello world > "$out/index.html"


     

       

       
10

       
+

       
        '';


     

       

       
11

       
+

       
      in {


     

       

       
12

       
+

       
        enable = true;


     

       

       
13

       
+

       



     

       

       
14

       
+

       
        virtualHosts.lockedroot = {


     

       

       
15

       
+

       
          inherit root;


     

       

       
16

       
+

       
          basicAuth.alice = "jane";


     

       

       
17

       
+

       
        };


     

       

       
18

       
+

       



     

       

       
19

       
+

       
        virtualHosts.lockedsubdir = {


     

       

       
20

       
+

       
          inherit root;


     

       

       
21

       
+

       
          locations."/sublocation/" = {


     

       

       
22

       
+

       
            alias = "${root}/";


     

       

       
23

       
+

       
            basicAuth.bob = "john";


     

       

       
24

       
+

       
          };


     

       

       
25

       
+

       
        };


     

       

       
26

       
+

       
      };


     

       

       
27

       
+

       
    };


     

       

       
28

       
+

       
  };


     

       

       
29

       
+

       



     

       

       
30

       
+

       
  testScript = ''


     

       

       
31

       
+

       
    webserver.wait_for_unit("nginx")


     

       

       
32

       
+

       
    webserver.wait_for_open_port(80)


     

       

       
33

       
+

       



     

       

       
34

       
+

       
    webserver.fail("curl --fail --resolve lockedroot:80:127.0.0.1 http://lockedroot")


     

       

       
35

       
+

       
    webserver.succeed(


     

       

       
36

       
+

       
        "curl --fail --resolve lockedroot:80:127.0.0.1 http://alice:jane@lockedroot"


     

       

       
37

       
+

       
    )


     

       

       
38

       
+

       



     

       

       
39

       
+

       
    webserver.succeed("curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir")


     

       

       
40

       
+

       
    webserver.fail(


     

       

       
41

       
+

       
        "curl --fail --resolve lockedsubdir:80:127.0.0.1 http://lockedsubdir/sublocation/index.html"


     

       

       
42

       
+

       
    )


     

       

       
43

       
+

       
    webserver.succeed(


     

       

       
44

       
+

       
        "curl --fail --resolve lockedsubdir:80:127.0.0.1 http://bob:john@lockedsubdir/sublocation/index.html"


     

       

       
45

       
+

       
    )


     

       

       
46

       
+

       
  '';


     

       

       
47

       
+

       
})