Commit fb44aa73 authored by Gabriel Monnerat's avatar Gabriel Monnerat

apache-frontend: Extend nginx slave configuration to be possible restrict the...

apache-frontend: Extend nginx slave configuration to be possible restrict the access by password and/or address

By default authentification by password is enabled. To disable just pass --enable-auth=false

By default all addresses are allowed. if 'allowed-host-list' is passed we set "allow" to the addresses passed as parameter and deny all the rest.

Note: site_url is not published anymore because it has the same information of url
parent ef18cf7b
...@@ -27,7 +27,7 @@ md5sum = c55506cfb92d87f915d50d32fb129a28 ...@@ -27,7 +27,7 @@ md5sum = c55506cfb92d87f915d50d32fb129a28
[template-slave-list] [template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
md5sum = 4010f7366262d00c33f9e7f53f63d42e md5sum = f0978669cff09839eb14b16447430554
[template-slave-configuration] [template-slave-configuration]
filename = templates/custom-virtualhost.conf.in filename = templates/custom-virtualhost.conf.in
...@@ -43,7 +43,7 @@ md5sum = 82cdb4ab02fec36285b9c1ce502f82f0 ...@@ -43,7 +43,7 @@ md5sum = 82cdb4ab02fec36285b9c1ce502f82f0
[template-custom-slave-list] [template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
md5sum = 4010f7366262d00c33f9e7f53f63d42e md5sum = f0978669cff09839eb14b16447430554
[template-not-found-html] [template-not-found-html]
filename = templates/notfound.html filename = templates/notfound.html
...@@ -87,7 +87,7 @@ md5sum = 18633ce55e53340efa1ba7693aac4152 ...@@ -87,7 +87,7 @@ md5sum = 18633ce55e53340efa1ba7693aac4152
[template-nginx-eventsource-slave-virtualhost] [template-nginx-eventsource-slave-virtualhost]
filename = templates/nginx-eventsource-slave.conf.in filename = templates/nginx-eventsource-slave.conf.in
md5sum = a5186f666acb2f040ede04c91e60408f md5sum = a9c3b6db835a6b6246f69fb3fd8604bf
[template-nginx-notebook-slave-virtualhost] [template-nginx-notebook-slave-virtualhost]
filename = templates/nginx-notebook-slave.conf.in filename = templates/nginx-notebook-slave.conf.in
......
...@@ -161,6 +161,19 @@ ...@@ -161,6 +161,19 @@
"type": "string", "type": "string",
"default": "" "default": ""
}, },
"allowed-host-list": {
"title": "Restrict access",
"description": "Limiting access to certain client addresses",
"type": "string",
"default": ""
},
"enable-auth": {
"title": "Enable Authentification",
"description": "Limiting the access by password",
"type": "string",
"default": "true",
"enum": ["false", "true"]
},
"apache_custom_http": { "apache_custom_http": {
"title": "HTTP configuration", "title": "HTTP configuration",
......
...@@ -103,9 +103,16 @@ crl = {{ custom_ssl_directory }}/crl/ ...@@ -103,9 +103,16 @@ crl = {{ custom_ssl_directory }}/crl/
{% if not slave_instance.has_key('apache_custom_http') %} {% if not slave_instance.has_key('apache_custom_http') %}
{% do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%} {% if slave_instance.get("enable-http", "true").strip().lower() == "true" -%}
{% do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('url', 'http://' + slave_reference + ':${'+ slave_password_section +':passwd}@' + slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%} {% else -%}
{% do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
{% endif -%}
{% if slave_instance.get("enable-http", "true").strip().lower() == "true" -%}
{% do slave_publish_dict.__setitem__('secure_access', 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@' + slave_instance.get('custom_domain')) -%}
{% else -%}
{% do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
{% endif -%}
{% endif -%} {% endif -%}
[slave-log-directories] [slave-log-directories]
...@@ -196,6 +203,7 @@ cert-content = {{ dumps(slave_instance.get('ssl_crt')) }} ...@@ -196,6 +203,7 @@ cert-content = {{ dumps(slave_instance.get('ssl_crt')) }}
{% set apache_custom_https = ((slave_instance.pop('apache_custom_https', '')) % slave_parameter_dict) -%} {% set apache_custom_https = ((slave_instance.pop('apache_custom_https', '')) % slave_parameter_dict) -%}
apache_custom_http = {{ dumps(apache_custom_http) }} apache_custom_http = {{ dumps(apache_custom_http) }}
apache_custom_https = {{ dumps(apache_custom_https) }} apache_custom_https = {{ dumps(apache_custom_https) }}
htaccess_path = {{ '${' + slave_htaccess_section + ':htaccess-path}' }}
{{ '\n' }} {{ '\n' }}
{% for key, value in slave_instance.iteritems() -%} {% for key, value in slave_instance.iteritems() -%}
{{ key }} = {{ dumps(value) }} {{ key }} = {{ dumps(value) }}
......
...@@ -9,7 +9,9 @@ ...@@ -9,7 +9,9 @@
{% set https_proxy_pass = '%s//https_%s' % (protocol, slave_parameter.get('slave_reference')) -%} {% set https_proxy_pass = '%s//https_%s' % (protocol, slave_parameter.get('slave_reference')) -%}
{%- set ssl_configuration_list = [('ssl_certificate', 'path_to_ssl_crt'), {%- set ssl_configuration_list = [('ssl_certificate', 'path_to_ssl_crt'),
('ssl_certificate_key', 'path_to_ssl_key')] -%} ('ssl_certificate_key', 'path_to_ssl_key')] -%}
{% set allowed_host_list = filter(None, slave_parameter.get('allowed-host-list', "").split(",")) -%}
{% set enable_auth = slave_parameter.get('enable-auth', 'true').strip().lower() == 'true' -%}
{% set restrict_access = allowed_host_list != [] and 'all' not in allowed_host_list -%}
upstream {{ slave_parameter.get('slave_reference') }} { upstream {{ slave_parameter.get('slave_reference') }} {
server {{ upstream }}; server {{ upstream }};
...@@ -41,6 +43,20 @@ server { ...@@ -41,6 +43,20 @@ server {
client_max_body_size 16k; client_max_body_size 16k;
client_body_buffer_size 16k; client_body_buffer_size 16k;
{% if enable_auth and restrict_access -%}
# Access must satisfy http_access(allow|deny) and auth_basic
satisfy all;
{% endif -%}
{% if enable_auth -%}
auth_basic "Restricted Access";
auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
{% endif -%}
{% if restrict_access -%}
{% for host in allowed_host_list -%}
allow {{ host }};
{% endfor -%}
deny all;
{% endif -%}
} }
location ~ /sub/(.*) { location ~ /sub/(.*) {
...@@ -56,6 +72,10 @@ server { ...@@ -56,6 +72,10 @@ server {
# content-type # content-type
default_type "text/event-stream; charset=utf-8"; default_type "text/event-stream; charset=utf-8";
{% if enable_auth -%}
auth_basic "Restricted Access";
auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
{% endif -%}
} }
} }
...@@ -95,6 +115,20 @@ server { ...@@ -95,6 +115,20 @@ server {
client_max_body_size 16k; client_max_body_size 16k;
client_body_buffer_size 16k; client_body_buffer_size 16k;
{% if enable_auth and restrict_access -%}
# Access must satisfy http_access(allow|deny) and auth_basic
satisfy all;
{% endif -%}
{% if enable_auth -%}
auth_basic "Restricted Access";
auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
{% endif -%}
{% if restrict_access -%}
{% for host in allowed_host_list -%}
allow {{ host }};
{% endfor -%}
deny all;
{% endif -%}
} }
location ~ /sub/(.*) { location ~ /sub/(.*) {
...@@ -110,6 +144,10 @@ server { ...@@ -110,6 +144,10 @@ server {
# content-type # content-type
default_type "text/event-stream; charset=utf-8"; default_type "text/event-stream; charset=utf-8";
{% if enable_auth -%}
auth_basic "Restricted Access";
auth_basic_user_file {{ slave_parameter.get('htaccess_path') }};
{% endif -%}
} }
} }
{% endif -%} {% endif -%}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment