Make basic_auth a global nginx parameter

Instead of enabling basic auth per role this makes it an nginx parameter which makes more sense for sandboxes and probably other servers where we want basic auth turned on

Make basic_auth a global nginx parameter
Instead of enabling basic auth per role this makes it an nginx parameter which makes more sense for sandboxes and probably other servers where we want basic auth turned on
c63f18c2 · John Jarvis · d1e31e71 · c63f18c2 · c63f18c2 · c63f18c2
Commit c63f18c2 authored Nov 26, 2013 by John Jarvis
16 changed files
--- a/playbooks/edx-east/deploy_nginx_all_roles.yml
+++ b/playbooks/edx-east/deploy_nginx_all_roles.yml
+- name: Configure instance(s)
+  hosts: all
+  sudo: True
+  gather_facts: False
+  vars_files:
+    - roles/edxapp/defaults/main.yml
+    - roles/ora/defaults/main.yml
+    - roles/xqueue/defaults/main.yml
+    - roles/xserver/defaults/main.yml
+  roles:
+    - common
+    - role: nginx
+      nginx_sites:
+      - cms
+      - lms
+      - ora
+      - xqueue
+      - xserver
--- a/playbooks/roles/discern/defaults/main.yml
+++ b/playbooks/roles/discern/defaults/main.yml
 DISCERN_NGINX_PORT: 18070
-DISCERN_BASIC_AUTH: False
 DISCERN_MEMCACHE: [ 'localhost:11211' ]
 DISCERN_AWS_ACCESS_KEY_ID: ""
 DISCERN_AWS_SECRET_ACCESS_KEY: ""

--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -89,9 +89,6 @@ EDXAPP_LMS_NGINX_PORT: 18000
 EDXAPP_LMS_PREVIEW_NGINX_PORT: 18020
 EDXAPP_CMS_NGINX_PORT: 18010

-EDXAPP_LMS_BASIC_AUTH: False
-EDXAPP_CMS_BASIC_AUTH: False
-EDXAPP_LMS_PREVIEW_BASIC_AUTH: False
 EDXAPP_LANG: 'en_US.UTF-8'
 EDXAPP_TIME_ZONE: 'America/New_York'


--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
 # Variables for nginx role
 ---
+# Set global htaccess for nginx
+NGINX_HTPASSWD_USER: !!null
+NGINX_HTPASSWD_PASS: !!null

 nginx_app_dir: "{{ COMMON_APP_DIR }}/nginx"
 nginx_data_dir: "{{ COMMON_DATA_DIR }}/nginx"
@@ -8,10 +11,11 @@ nginx_log_dir: "{{ COMMON_LOG_DIR }}/nginx"
 nginx_sites_available_dir: "{{ nginx_app_dir }}/sites-available"
 nginx_sites_enabled_dir: "{{ nginx_app_dir }}/sites-enabled"
 nginx_user: root
+nginx_htpasswd_file: "{{ nginx_app_dir }}/nginx.htpasswd"

-pkgs:
-  nginx:
-    state: installed
+nginx_debian_pkgs:
+  - nginx
+  - python-passlib

 nginx_xserver_gunicorn_hosts:
  - 127.0.0.1
@@ -36,7 +40,3 @@ nginx_cfg:
  # nginx configuration
  version_html: "{{ nginx_app_dir }}/versions.html"
  version_json: "{{ nginx_app_dir }}/versions.json"
-  # default htpasswd contents set to edx/edx
-  # this value can be overiden in vars/secure/<group>.yml
-  htpasswd: |
-    edx:$apr1$2gWcIvlc$Nu7b/KTwd5HoIDEkSPNUk/
--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -25,8 +25,8 @@
    - "{{ nginx_log_dir }}"
  notify: nginx | restart nginx

- name: nginx | Install nginx
-  apt: pkg=nginx state={{ pkgs.nginx.state }}
+- name: nginx | Install nginx packages
+  apt: pkg={{','.join(nginx_debian_pkgs)}} state=present
  notify: nginx | restart nginx

 - name: nginx | Server configuration file
@@ -63,10 +63,12 @@
  notify: nginx | reload nginx
  with_items: nginx_sites

- name: nginx | Write out default htpasswd file
-  copy: >
-    content={{ nginx_cfg.htpasswd }} dest={{ nginx_app_dir }}/nginx.htpasswd
-    owner=www-data group=www-data mode=0600
+- name: nginx | Write out htpasswd file
+  htpasswd: >
+    name={{ NGINX_HTPASSWD_USER }}
+    password={{ NGINX_HTPASSWD_PASS }}
+    path={{ nginx_htpasswd_file }}
+  when: NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS

 - name: nginx | Create nginx log file location (just in case)
  file: >

--- a/playbooks/roles/nginx/templates/basic-auth.j2
+++ b/playbooks/roles/nginx/templates/basic-auth.j2
+{% if  NGINX_HTPASSWD_USER and NGINX_HTPASSWD_PASS %}
     auth_basic            "Restricted";
-     auth_basic_user_file  {{ nginx_app_dir }}/nginx.htpasswd;
+     auth_basic_user_file  {{ nginx_htpasswd_file }};
     index index.html
     proxy_set_header X-Forwarded-Proto https;
+{% endif %}
--- a/playbooks/roles/nginx/templates/cms.j2
+++ b/playbooks/roles/nginx/templates/cms.j2
@@ -32,9 +32,7 @@ server {
  }

  location / {
-    {% if  EDXAPP_CMS_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_cms_app;
  }


--- a/playbooks/roles/nginx/templates/discern.j2
+++ b/playbooks/roles/nginx/templates/discern.j2
@@ -20,9 +20,7 @@ server {
    }

    location / {
-        {% if  DISCERN_BASIC_AUTH %}
-            {% include "basic-auth.j2" %}
-        {% endif %}
+        {% include "basic-auth.j2" %}
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
        proxy_set_header X-Forwarded-For $http_x_forwarded_for;

--- a/playbooks/roles/nginx/templates/lms-preview.j2
+++ b/playbooks/roles/nginx/templates/lms-preview.j2
@@ -30,9 +30,7 @@ server {

  location / {

-    {% if  EDXAPP_LMS_PREVIEW_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_lms-preview_app;
  }


--- a/playbooks/roles/nginx/templates/lms.j2
+++ b/playbooks/roles/nginx/templates/lms.j2
@@ -31,10 +31,7 @@ server {
  }

  location / {
-
-    {% if  EDXAPP_LMS_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_lms_app;
  }


--- a/playbooks/roles/nginx/templates/ora.j2
+++ b/playbooks/roles/nginx/templates/ora.j2
@@ -9,9 +9,7 @@ server {

  location / {

-    {% if  ORA_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/nginx/templates/xqueue.j2
+++ b/playbooks/roles/nginx/templates/xqueue.j2
@@ -8,9 +8,7 @@ server {
  listen {{ XQUEUE_NGINX_PORT }} default_server;

  location / {
-    {% if  XQUEUE_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/nginx/templates/xserver.j2
+++ b/playbooks/roles/nginx/templates/xserver.j2
@@ -18,9 +18,7 @@ server {
  listen {{ XSERVER_NGINX_PORT }} default_server;

  location / {
-    {% if  XSERVER_BASIC_AUTH %}
-        {% include "basic-auth.j2" %}
-    {% endif %}
+    {% include "basic-auth.j2" %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/ora/defaults/main.yml
+++ b/playbooks/roles/ora/defaults/main.yml
 # vars for the ORA role
 ---
 ORA_NGINX_PORT: 18060
-ORA_BASIC_AUTH: False

 ora_app_dir: "{{ COMMON_APP_DIR }}/ora"
 ora_code_dir: "{{ ora_app_dir }}/ora"
@@ -122,7 +121,7 @@ ora_auth_config:
      username: $ORA_DJANGO_USER
    url: $ORA_URL
  DATABASES:
-    default: 
+    default:
      ENGINE: 'django.db.backends.mysql'
      NAME: $ORA_MYSQL_DB_NAME
      USER: $ORA_MYSQL_USER

--- a/playbooks/roles/xqueue/defaults/main.yml
+++ b/playbooks/roles/xqueue/defaults/main.yml
@@ -2,7 +2,6 @@
 # when the role is included
 ---
 XQUEUE_NGINX_PORT: 18040
-XQUEUE_BASIC_AUTH: False

 xqueue_app_dir: "{{ COMMON_APP_DIR }}/xqueue"
 xqueue_code_dir: "{{ xqueue_app_dir }}/xqueue"

--- a/playbooks/roles/xserver/defaults/main.yml
+++ b/playbooks/roles/xserver/defaults/main.yml
@@ -2,7 +2,6 @@
 ---

 XSERVER_NGINX_PORT: 18050
-XSERVER_BASIC_AUTH: False

 XSERVER_RUN_URL: ''
 XSERVER_LOGGING_ENV: 'sandbox'