Merge pull request #2481 from open-craft/smarnach/selective-http-auth

Allow enabling HTTP basic auth for individual services.

Merge pull request #2481 from open-craft/smarnach/selective-http-auth
Allow enabling HTTP basic auth for individual services.
edc67b68 · Sven Marnach · fcb4d2ff · c44bf596 · edc67b68 · edc67b68
Commit edc67b68 authored May 03, 2016 by Sven Marnach
12 changed files
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -128,3 +128,28 @@ nginx_cfg:
 NGINX_ROBOT_RULES: [ ]
 NGINX_EDXAPP_EMBARGO_CIDRS: []
 NGINX_P3P_MESSAGE: 'CP="Open edX does not have a P3P policy."'
+
+COMMON_ENABLE_BASIC_AUTH: False
+
+CERTS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+ECOMMERCE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_CMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_LMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+KIBANA_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+PROGRAMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+XQUEUE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+XSERVER_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+
+NGINX_CREATE_HTPASSWD_FILE: >
+  {{
+    CERTS_ENABLE_BASIC_AUTH|bool or
+    ECOMMERCE_ENABLE_BASIC_AUTH|bool or
+    EDXAPP_CMS_ENABLE_BASIC_AUTH|bool or
+    EDXAPP_LMS_ENABLE_BASIC_AUTH|bool or
+    EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH|bool or
+    KIBANA_ENABLE_BASIC_AUTH|bool or
+    PROGRAMS_ENABLE_BASIC_AUTH|bool or
+    XQUEUE_ENABLE_BASIC_AUTH|bool or
+    XSERVER_ENABLE_BASIC_AUTH|bool
+  }}
--- a/playbooks/roles/nginx/tasks/main.yml
+++ b/playbooks/roles/nginx/tasks/main.yml
@@ -227,7 +227,7 @@
    password={{ item.password }}
    state={{ item.state  }}
    path={{ nginx_htpasswd_file }}
-  when: COMMON_ENABLE_BASIC_AUTH
+  when: NGINX_CREATE_HTPASSWD_FILE
  tags:
    - install
    - install:configuration

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/basic-auth.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/basic-auth.j2
-{% if COMMON_ENABLE_BASIC_AUTH %}
     satisfy any;

     allow 127.0.0.1;
@@ -14,4 +13,3 @@

     index index.html
     proxy_set_header X-Forwarded-Proto https;
-{% endif %}
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2
@@ -3,8 +3,9 @@ server {

  location / {
    root {{ CERTS_WEB_ROOT }};
-    {% include "basic-auth.j2" %}
+    {% if CERTS_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri $uri/valid.html =404;
  }
 }
-
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
@@ -101,7 +101,9 @@ error_page {{ k }} {{ v }};
  }

  location / {
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_CMS_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_cms_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
@@ -63,6 +63,9 @@ server {
  }

  location / {
+    {% if ECOMMERCE_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2
@@ -57,7 +57,9 @@ server {
  error_log {{ nginx_log_dir }}/kibana.error.log error;

  # Access restriction
-  {% include "basic-auth.j2" %}
+  {% if KIBANA_ENABLE_BASIC_AUTH|bool %}
+    {% include "basic-auth.j2" %}
+  {% endif %}

  # Set image format types to expire in a very long time
  location ~* ^.+\.(jpg|jpeg|gif|png|ico)$ {

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
@@ -37,8 +37,9 @@ server {
  }

  location / {
-
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_lms-preview_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -119,7 +119,9 @@ error_page {{ k }} {{ v }};
  }

  location / {
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    {% if NGINX_EDXAPP_EMBARGO_CIDRS -%}
    if ( $embargo ) {
      return 302 /embargo;
@@ -206,7 +208,9 @@ error_page {{ k }} {{ v }};
    error_page  503 = /server/rate-limit.html;
    {%- endif -%}

-    {%- include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH|bool %}
+      {%- include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_lms_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
@@ -79,6 +79,9 @@ server {
  }

  location / {
+    {% if PROGRAMS_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2
@@ -8,7 +8,9 @@ server {
  listen {{ XQUEUE_NGINX_PORT }} default_server;

  location / {
-    {% include "basic-auth.j2" %}
+    {% if XQUEUE_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_app;
  }


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xserver.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xserver.j2
@@ -18,7 +18,9 @@ server {
  listen {{ XSERVER_NGINX_PORT }} default_server;

  location / {
-    {% include "basic-auth.j2" %}
+    {% if XSERVER_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
    try_files $uri @proxy_to_app;
  }