Merge pull request #497 from edx/jarv/better-basic-auth

Make basic_auth a global nginx parameter

playbooks/edx-east/deploy_nginx_all_roles.yml

+- name: Configure instance(s)
+  hosts: all
+  sudo: True
+  gather_facts: False
+  vars_files:
+    - roles/edxapp/defaults/main.yml
+    - roles/ora/defaults/main.yml
+    - roles/xqueue/defaults/main.yml
+    - roles/xserver/defaults/main.yml
+  roles:
+    - common
+    - role: nginx
+      nginx_sites:
+      - cms
+      - lms
+      - ora
+      - xqueue
+      - xserver

playbooks/roles/discern/defaults/main.yml

 DISCERN_NGINX_PORT: 18070
-DISCERN_BASIC_AUTH: False
 DISCERN_MEMCACHE: [ 'localhost:11211' ]
 DISCERN_AWS_ACCESS_KEY_ID: ""
 DISCERN_AWS_SECRET_ACCESS_KEY: ""

playbooks/roles/edxapp/defaults/main.yml

@@ -89,9 +89,6 @@ EDXAPP_LMS_NGINX_PORT: 18000
 EDXAPP_LMS_PREVIEW_NGINX_PORT: 18020
 EDXAPP_CMS_NGINX_PORT: 18010
 
-EDXAPP_LMS_BASIC_AUTH: False
-EDXAPP_CMS_BASIC_AUTH: False
-EDXAPP_LMS_PREVIEW_BASIC_AUTH: False
 EDXAPP_LANG: 'en_US.UTF-8'
 EDXAPP_TIME_ZONE: 'America/New_York'
 

playbooks/roles/nginx/defaults/main.yml

 # Variables for nginx role
 ---
+# Set global htaccess for nginx
+NGINX_HTPASSWD_USER: !!null
+NGINX_HTPASSWD_PASS: !!null
 
 nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
 nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
@@ -8,10 +11,11 @@ nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
 nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
 nginx_sites_enabled_dir: "{{ nginx_app_dir }}/sites-enabled"
 nginx_user: root
+nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"
 
-pkgs:
-  nginx:
-    state: installed
+nginx_debian_pkgs:
+  - nginx
+  - python-passlib
 
 nginx_xserver_gunicorn_hosts:
   - 127.0.0.1
@@ -36,7 +40,3 @@ nginx_cfg:
   # nginx configuration
   version_html: "{{ nginx_app_dir }}/versions.html"
   version_json: "{{ nginx_app_dir }}/versions.json"
-  # default htpasswd contents set to edx/edx
-  # this value can be overiden in vars/secure/<group>.yml
-  htpasswd: |
-    edx:$apr1$2gWcIvlc$Nu7b/KTwd5HoIDEkSPNUk/

playbooks/roles/nginx/tasks/main.yml

@@ -25,8 +25,8 @@
     - "{{ nginx_log_dir }}"
   notify: nginx | restart nginx
 
-- name: nginx | Install nginx
-  apt: pkg=nginx state={{ pkgs.nginx.state }}
+- name: nginx | Install nginx packages
+  apt: pkg={{','.join(nginx_debian_pkgs)}} state=present
   notify: nginx | restart nginx
 
 - name: nginx | Server configuration file
@@ -63,10 +63,12 @@
   notify: nginx | reload nginx
   with_items: nginx_sites
 
-- name: nginx | Write out default htpasswd file
-  copy: >
-    content={{ nginx_cfg.htpasswd }} dest={{ nginx_app_dir }}/nginx.htpasswd
-    owner=www-data group=www-data mode=0600
+- name: nginx | Write out htpasswd file
+  htpasswd: >
+    name={{ NGINX_HTPASSWD_USER }}
+    password={{ NGINX_HTPASSWD_PASS }}
+    path={{ nginx_htpasswd_file }}
+  when: NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS
 
 - name: nginx | Create nginx log file location (just in case)
   file: >

playbooks/roles/nginx/templates/basic-auth.j2

+{% if  NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS %}
      auth_basic            "Restricted";
-     auth_basic_user_file  {{ nginx_app_dir }}/nginx.htpasswd;
+     auth_basic_user_file  {{ nginx_htpasswd_file }};
      index index.html
      proxy_set_header X-Forwarded-Proto https;
+{% endif %}

playbooks/roles/nginx/templates/cms.j2

@@ -32,9 +32,7 @@ server {
   }
 
   location / {
-    {% if  EDXAPP_CMS_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_cms_app;
   }
 

playbooks/roles/nginx/templates/discern.j2

@@ -20,9 +20,7 @@ server {
     }
 
     location / {
-        {% if  DISCERN_BASIC_AUTH %}
         {% include "basic-auth.j2" %}
-        {% endif %}
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
         proxy_set_header X-Forwarded-For $http_x_forwarded_for;

playbooks/roles/nginx/templates/lms-preview.j2

@@ -30,9 +30,7 @@ server {
 
   location / {
 
-    {% if  EDXAPP_LMS_PREVIEW_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_lms-preview_app;
   }
 

playbooks/roles/nginx/templates/lms.j2

@@ -31,10 +31,7 @@ server {
   }
 
   location / {
-
-    {% if  EDXAPP_LMS_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_lms_app;
   }
 

playbooks/roles/nginx/templates/ora.j2

@@ -9,9 +9,7 @@ server {
 
   location / {
 
-    {% if  ORA_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/xqueue.j2

@@ -8,9 +8,7 @@ server {
   listen {{ XQUEUE_NGINX_PORT }} default_server;
 
   location / {
-    {% if  XQUEUE_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/xserver.j2

@@ -18,9 +18,7 @@ server {
   listen {{ XSERVER_NGINX_PORT }} default_server;
 
   location / {
-    {% if  XSERVER_BASIC_AUTH %}
     {% include "basic-auth.j2" %}
-    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/ora/defaults/main.yml

 # vars for the ORA role
 ---
 ORA_NGINX_PORT: 18060
-ORA_BASIC_AUTH: False
 
 ora_app_dir: "{{ COMMON_APP_DIR }}/ora"
 ora_code_dir: "{{ ora_app_dir }}/ora"

playbooks/roles/xqueue/defaults/main.yml

@@ -2,7 +2,6 @@
 # when the role is included
 ---
 XQUEUE_NGINX_PORT: 18040
-XQUEUE_BASIC_AUTH: False
 
 xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
 xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"

playbooks/roles/xserver/defaults/main.yml

@@ -2,7 +2,6 @@
 ---
 
 XSERVER_NGINX_PORT: 18050
-XSERVER_BASIC_AUTH: False
 
 XSERVER_RUN_URL: ''
 XSERVER_LOGGING_ENV: 'sandbox'