Merge pull request #2322 from open-craft/smarnach/selective-http-auth

Allow enabling HTTP basic auth for individual services.

playbooks/roles/nginx/defaults/main.yml

@@ -113,3 +113,28 @@ nginx_cfg:
 
 NGINX_ROBOT_RULES: [ ]
 NGINX_EDXAPP_EMBARGO_CIDRS: []
+
+CERTS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+ECOMMERCE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_CMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_LMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+KIBANA_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+ORA_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+PROGRAMS_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+XQUEUE_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+XSERVER_ENABLE_BASIC_AUTH: "{{ COMMON_ENABLE_BASIC_AUTH }}"
+
+NGINX_CREATE_HTPASSWD_FILE: >
+  {{
+    CERTS_ENABLE_BASIC_AUTH or
+    ECOMMERCE_ENABLE_BASIC_AUTH or
+    EDXAPP_CMS_ENABLE_BASIC_AUTH or
+    EDXAPP_LMS_ENABLE_BASIC_AUTH or
+    EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH or
+    KIBANA_ENABLE_BASIC_AUTH or
+    ORA_ENABLE_BASIC_AUTH or
+    PROGRAMS_ENABLE_BASIC_AUTH or
+    XQUEUE_ENABLE_BASIC_AUTH or
+    XSERVER_ENABLE_BASIC_AUTH
+  }}

playbooks/roles/nginx/tasks/main.yml

@@ -135,7 +135,7 @@
     name={{ COMMON_HTPASSWD_USER }}
     password={{ COMMON_HTPASSWD_PASS }}
     path={{ nginx_htpasswd_file }}
-  when: COMMON_ENABLE_BASIC_AUTH
+  when: NGINX_CREATE_HTPASSWD_FILE
 
 - name: Create nginx log file location (just in case)
   file: >

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/basic-auth.j2

-{% if COMMON_ENABLE_BASIC_AUTH %}
      satisfy any;
 
      allow 127.0.0.1;
@@ -17,4 +16,3 @@
 
      index index.html
      proxy_set_header X-Forwarded-Proto https;
-{% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2

@@ -3,8 +3,9 @@ server {
 
   location / {
     root {{ CERTS_WEB_ROOT }};
-    {% include "basic-auth.j2" %}
+    {% if CERTS_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri $uri/valid.html =404;
   }
 }
-

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -74,7 +74,9 @@ error_page {{ k }} {{ v }};
   }
 
   location / {
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_CMS_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_cms_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2

@@ -38,6 +38,9 @@ server {
   }
 
   location / {
+    {% if ECOMMERCE_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2

@@ -31,7 +31,9 @@ server {
   error_log {{ nginx_log_dir }}/kibana.error.log error;
 
   # Access restriction
-  {% include "basic-auth.j2" %}
+  {% if KIBANA_ENABLE_BASIC_AUTH %}
+    {% include "basic-auth.j2" %}
+  {% endif %}
 
   # Set image format types to expire in a very long time
   location ~* ^.+\.(jpg|jpeg|gif|png|ico)$ {

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2

@@ -37,8 +37,9 @@ server {
   }
 
   location / {
-
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_PREVIEW_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_lms-preview_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -93,7 +93,9 @@ error_page {{ k }} {{ v }};
   }
 
   location / {
-    {% include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     {% if NGINX_EDXAPP_EMBARGO_CIDRS -%}
     if ( $embargo ) {
       rewrite ^ /embargo;
@@ -167,7 +169,9 @@ error_page {{ k }} {{ v }};
     error_page  503 = /server/rate-limit.html;
     {%- endif -%}
 
-    {%- include "basic-auth.j2" %}
+    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH %}
+      {%- include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_lms_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ora.j2

@@ -8,8 +8,9 @@ server {
   listen {{ ORA_NGINX_PORT }} default_server;
 
   location / {
-
-    {% include "basic-auth.j2" %}
+    {% if ORA_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2

@@ -38,6 +38,9 @@ server {
   }
 
   location / {
+    {% if PROGRAMS_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2

@@ -8,7 +8,9 @@ server {
   listen {{ XQUEUE_NGINX_PORT }} default_server;
 
   location / {
-    {% include "basic-auth.j2" %}
+    {% if XQUEUE_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_app;
   }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xserver.j2

@@ -18,7 +18,9 @@ server {
   listen {{ XSERVER_NGINX_PORT }} default_server;
 
   location / {
-    {% include "basic-auth.j2" %}
+    {% if XSERVER_ENABLE_BASIC_AUTH %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
     try_files $uri @proxy_to_app;
   }