Commit 872672aa by John Jarvis

Merge pull request #497 from edx/jarv/better-basic-auth

Make basic_auth a global nginx parameter
parents c8914619 c63f18c2
- name: Configure instance(s)
hosts: all
sudo: True
gather_facts: False
vars_files:
- roles/edxapp/defaults/main.yml
- roles/ora/defaults/main.yml
- roles/xqueue/defaults/main.yml
- roles/xserver/defaults/main.yml
roles:
- common
- role: nginx
nginx_sites:
- cms
- lms
- ora
- xqueue
- xserver
DISCERN_NGINX_PORT: 18070
DISCERN_BASIC_AUTH: False
DISCERN_MEMCACHE: [ 'localhost:11211' ]
DISCERN_AWS_ACCESS_KEY_ID: ""
DISCERN_AWS_SECRET_ACCESS_KEY: ""
......
......@@ -89,9 +89,6 @@ EDXAPP_LMS_NGINX_PORT: 18000
EDXAPP_LMS_PREVIEW_NGINX_PORT: 18020
EDXAPP_CMS_NGINX_PORT: 18010
EDXAPP_LMS_BASIC_AUTH: False
EDXAPP_CMS_BASIC_AUTH: False
EDXAPP_LMS_PREVIEW_BASIC_AUTH: False
EDXAPP_LANG: 'en_US.UTF-8'
EDXAPP_TIME_ZONE: 'America/New_York'
......
# Variables for nginx role
---
# Set global htaccess for nginx
NGINX_HTPASSWD_USER: !!null
NGINX_HTPASSWD_PASS: !!null
nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
......@@ -8,10 +11,11 @@ nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
nginx_sites_enabled_dir: "{{ nginx_app_dir }}/sites-enabled"
nginx_user: root
nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"
pkgs:
nginx:
state: installed
nginx_debian_pkgs:
- nginx
- python-passlib
nginx_xserver_gunicorn_hosts:
- 127.0.0.1
......@@ -36,7 +40,3 @@ nginx_cfg:
# nginx configuration
version_html: "{{ nginx_app_dir }}/versions.html"
version_json: "{{ nginx_app_dir }}/versions.json"
# default htpasswd contents set to edx/edx
# this value can be overiden in vars/secure/<group>.yml
htpasswd: |
edx:$apr1$2gWcIvlc$Nu7b/KTwd5HoIDEkSPNUk/
......@@ -25,8 +25,8 @@
- "{{ nginx_log_dir }}"
notify: nginx | restart nginx
- name: nginx | Install nginx
apt: pkg=nginx state={{ pkgs.nginx.state }}
- name: nginx | Install nginx packages
apt: pkg={{','.join(nginx_debian_pkgs)}} state=present
notify: nginx | restart nginx
- name: nginx | Server configuration file
......@@ -63,10 +63,12 @@
notify: nginx | reload nginx
with_items: nginx_sites
- name: nginx | Write out default htpasswd file
copy: >
content={{ nginx_cfg.htpasswd }} dest={{ nginx_app_dir }}/nginx.htpasswd
owner=www-data group=www-data mode=0600
- name: nginx | Write out htpasswd file
htpasswd: >
name={{ NGINX_HTPASSWD_USER }}
password={{ NGINX_HTPASSWD_PASS }}
path={{ nginx_htpasswd_file }}
when: NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS
- name: nginx | Create nginx log file location (just in case)
file: >
......
{% if NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS %}
auth_basic "Restricted";
auth_basic_user_file {{ nginx_app_dir }}/nginx.htpasswd;
auth_basic_user_file {{ nginx_htpasswd_file }};
index index.html
proxy_set_header X-Forwarded-Proto https;
{% endif %}
......@@ -32,9 +32,7 @@ server {
}
location / {
{% if EDXAPP_CMS_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_cms_app;
}
......
......@@ -20,9 +20,7 @@ server {
}
location / {
{% if DISCERN_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
......
......@@ -30,9 +30,7 @@ server {
location / {
{% if EDXAPP_LMS_PREVIEW_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_lms-preview_app;
}
......
......@@ -31,10 +31,7 @@ server {
}
location / {
{% if EDXAPP_LMS_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_lms_app;
}
......
......@@ -9,9 +9,7 @@ server {
location / {
{% if ORA_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_app;
}
......
......@@ -8,9 +8,7 @@ server {
listen {{ XQUEUE_NGINX_PORT }} default_server;
location / {
{% if XQUEUE_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_app;
}
......
......@@ -18,9 +18,7 @@ server {
listen {{ XSERVER_NGINX_PORT }} default_server;
location / {
{% if XSERVER_BASIC_AUTH %}
{% include "basic-auth.j2" %}
{% endif %}
{% include "basic-auth.j2" %}
try_files $uri @proxy_to_app;
}
......
# vars for the ORA role
---
ORA_NGINX_PORT: 18060
ORA_BASIC_AUTH: False
ora_app_dir: "{{ COMMON_APP_DIR }}/ora"
ora_code_dir: "{{ ora_app_dir }}/ora"
......@@ -122,7 +121,7 @@ ora_auth_config:
username: $ORA_DJANGO_USER
url: $ORA_URL
DATABASES:
default:
default:
ENGINE: 'django.db.backends.mysql'
NAME: $ORA_MYSQL_DB_NAME
USER: $ORA_MYSQL_USER
......
......@@ -2,7 +2,6 @@
# when the role is included
---
XQUEUE_NGINX_PORT: 18040
XQUEUE_BASIC_AUTH: False
xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"
......
......@@ -2,7 +2,6 @@
---
XSERVER_NGINX_PORT: 18050
XSERVER_BASIC_AUTH: False
XSERVER_RUN_URL: ''
XSERVER_LOGGING_ENV: 'sandbox'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment