apache-frontend: Extend nginx slave configuration to be possible restrict the...

apache-frontend: Extend nginx slave configuration to be possible restrict the access by password and/or address By default authentification by password is enabled. To disable just pass --enable-auth=false By default all addresses are allowed. if 'allowed-host-list' is passed we set "allow" to the addresses passed as parameter and deny all the rest. Note: site_url is not published anymore because it has the same information of url

apache-frontend: Extend nginx slave configuration to be possible restrict the...
apache-frontend: Extend nginx slave configuration to be possible restrict the access by password and/or address By default authentification by password is enabled. To disable just pass --enable-auth=false By default all addresses are allowed. if 'allowed-host-list' is passed we set "allow" to the addresses passed as parameter and deny all the rest. Note: site_url is not published anymore because it has the same information of url
fb44aa73 · Gabriel Monnerat · ef18cf7b · fb44aa73 · fb44aa73 · fb44aa73
Commit fb44aa73 authored May 30, 2017 by Gabriel Monnerat
4 changed files
--- a/software/apache-frontend/buildout.hash.cfg
+++ b/software/apache-frontend/buildout.hash.cfg
@@ -27,7 +27,7 @@ md5sum = c55506cfb92d87f915d50d32fb129a28

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 4010f7366262d00c33f9e7f53f63d42e
+md5sum = f0978669cff09839eb14b16447430554

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -43,7 +43,7 @@ md5sum = 82cdb4ab02fec36285b9c1ce502f82f0

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 4010f7366262d00c33f9e7f53f63d42e
+md5sum = f0978669cff09839eb14b16447430554

 [template-not-found-html]
 filename = templates/notfound.html
@@ -87,7 +87,7 @@ md5sum = 18633ce55e53340efa1ba7693aac4152

 [template-nginx-eventsource-slave-virtualhost]
 filename = templates/nginx-eventsource-slave.conf.in
-md5sum = a5186f666acb2f040ede04c91e60408f
+md5sum = a9c3b6db835a6b6246f69fb3fd8604bf

 [template-nginx-notebook-slave-virtualhost]
 filename = templates/nginx-notebook-slave.conf.in

--- a/software/apache-frontend/instance-slave-apache-input-schema.json
+++ b/software/apache-frontend/instance-slave-apache-input-schema.json
@@ -161,6 +161,19 @@
      "type": "string",
      "default": ""
    },
+    "allowed-host-list": {
+      "title": "Restrict access",
+      "description": "Limiting access to certain client addresses",
+      "type": "string",
+      "default": ""
+    },
+    "enable-auth": {
+      "title": "Enable Authentification",
+      "description": "Limiting the access by password",
+      "type": "string",
+      "default": "true",
+      "enum": ["false", "true"]
+    },

    "apache_custom_http": {
      "title": "HTTP configuration",

--- a/software/apache-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/apache-frontend/templates/apache-custom-slave-list.cfg.in
@@ -103,9 +103,16 @@ crl = {{ custom_ssl_directory }}/crl/

 {%   if not slave_instance.has_key('apache_custom_http') %}
 {%     do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%}
-{%     do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
-{%     do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%}
-{%     do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
+{%     if slave_instance.get("enable-http", "true").strip().lower() == "true" -%}
+{%       do slave_publish_dict.__setitem__('url', 'http://' + slave_reference + ':${'+ slave_password_section +':passwd}@' + slave_instance.get('custom_domain')) -%}
+{%     else -%}
+{%       do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
+{%     endif -%}
+{%     if slave_instance.get("enable-http", "true").strip().lower() == "true" -%}
+{%       do slave_publish_dict.__setitem__('secure_access', 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@' + slave_instance.get('custom_domain')) -%}
+{%     else -%}
+{%       do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
+{%     endif -%}
 {%   endif -%}

 [slave-log-directories]
@@ -196,6 +203,7 @@ cert-content = {{ dumps(slave_instance.get('ssl_crt')) }}
 {%     set apache_custom_https = ((slave_instance.pop('apache_custom_https', '')) % slave_parameter_dict) -%}
 apache_custom_http = {{ dumps(apache_custom_http) }}
 apache_custom_https = {{ dumps(apache_custom_https) }}
+htaccess_path = {{ '${' + slave_htaccess_section + ':htaccess-path}' }}
 {{ '\n' }}
 {%     for key, value in slave_instance.iteritems() -%}
 {{ key }} = {{ dumps(value) }}

--- a/software/apache-frontend/templates/nginx-eventsource-slave.conf.in
+++ b/software/apache-frontend/templates/nginx-eventsource-slave.conf.in
@@ -9,7 +9,9 @@
 {%   set https_proxy_pass = '%s//https_%s' % (protocol, slave_parameter.get('slave_reference')) -%}
 {%- set ssl_configuration_list = [('ssl_certificate', 'path_to_ssl_crt'),
                                 ('ssl_certificate_key', 'path_to_ssl_key')] -%}
-
+{% set allowed_host_list = filter(None, slave_parameter.get('allowed-host-list', "").split(",")) -%}
+{% set enable_auth = slave_parameter.get('enable-auth', 'true').strip().lower() == 'true' -%}
+{% set restrict_access = allowed_host_list != [] and 'all' not in allowed_host_list -%}

 upstream {{ slave_parameter.get('slave_reference') }} {
  server {{ upstream }};
@@ -41,6 +43,20 @@ server {
    client_max_body_size 16k;
    client_body_buffer_size 16k;

+    {% if enable_auth and restrict_access -%}
+    # Access must satisfy http_access(allow|deny) and auth_basic
+    satisfy all;
+    {% endif -%}
+    {% if enable_auth -%}
+    auth_basic "Restricted Access";
+    auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
+    {% endif -%}
+    {% if restrict_access -%}
+    {% for host in allowed_host_list -%}
+    allow {{ host }};
+    {% endfor -%}
+    deny all;
+    {% endif -%}
   }

   location ~ /sub/(.*) {
@@ -56,6 +72,10 @@ server {

     # content-type
     default_type "text/event-stream; charset=utf-8";
+     {% if enable_auth -%}
+     auth_basic "Restricted Access";
+     auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
+     {% endif -%}
  }

 }
@@ -95,6 +115,20 @@ server {
    client_max_body_size 16k;
    client_body_buffer_size 16k;

+    {% if enable_auth and restrict_access -%}
+    # Access must satisfy http_access(allow|deny) and auth_basic
+    satisfy all;
+    {% endif -%}
+    {% if enable_auth -%}
+    auth_basic "Restricted Access";
+    auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
+    {% endif -%}
+    {% if restrict_access -%}
+    {% for host in allowed_host_list -%}
+    allow {{ host }};
+    {% endfor -%}
+    deny all;
+    {% endif -%}
   }

   location ~ /sub/(.*) {
@@ -110,6 +144,10 @@ server {

     # content-type
     default_type "text/event-stream; charset=utf-8";
+     {% if enable_auth -%}
+     auth_basic "Restricted Access";
+     auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
+     {% endif -%}
  }
 }
 {% endif -%}