From 969ebefef3302a98a5030a06a44c0a02481b20db Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Mon, 18 Jun 2018 14:13:10 +0200 Subject: [PATCH 1/6] feature: generate htpasswd file from raw credentials --- Dockerfile | 2 +- launch.sh | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 20f86e7..b67c326 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ ENV HTPASSWD='foo:$apr1$odHl5EJN$KbxMfo86Qdve2FH4owePn.' \ WORKDIR /opt -RUN apk add --no-cache gettext +RUN apk add --no-cache gettext apache2-utils COPY auth.conf auth.htpasswd launch.sh ./ diff --git a/launch.sh b/launch.sh index f5aba9e..1ba65b5 100755 --- a/launch.sh +++ b/launch.sh @@ -1,5 +1,15 @@ #!/bin/sh +if [ "$RAW_CREDENTIALS" = 1 ]; then + HTPASSWD=$( + for line in $(echo $HTPASSWD); do + USERNAME="$(echo "$line" | cut -d':' -f1)" + PASSWORD="$(echo "$line" | cut -d':' -f2)" + htpasswd -nb "$USERNAME" "$PASSWORD" | head -n1 + done + ) +fi + rm /etc/nginx/conf.d/default.conf || : envsubst < auth.conf > /etc/nginx/conf.d/auth.conf envsubst < auth.htpasswd > /etc/nginx/auth.htpasswd From 160504be64acbbc1e98993444c4d0669e8098d5c Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Mon, 18 Jun 2018 14:21:34 +0200 Subject: [PATCH 2/6] add note about raw credentials to README --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 4d98fb0..3971a28 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,20 @@ docker run -d --link web:web --name auth \ ``` results in 2 users (`foo:bar` and `test:test`). +## Raw Credentials +If passing the contents of the HTPASSWD file is not convenient for you (because +you need to perform additional step of generating it via `htpasswd -nb foo +bar`), you can pass the credentials in a raw form and the contents of HTPASSWD +variable will be generated for you. The `RAW_CREDENTIALS=1` must be set to +enable this feature. + +``` +docker run -d --link web:web --name auth \ + -e HTPASSWD=$'foo:bar\ntest:test' \ + -e RAW_CREDENTIALS=1 \ + beevelop/nginx-basic-auth +``` + ## Troubleshooting ``` nginx: [emerg] host not found in upstream "web" in /etc/nginx/conf.d/auth.conf:80 From be47b3154c2b1c6b3e8d3260cd4341ab082f19e2 Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Tue, 19 Jun 2018 11:02:47 +0200 Subject: [PATCH 3/6] proxy_read_timeout configurable --- auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth.conf b/auth.conf index aaebd2e..ad323d5 100644 --- a/auth.conf +++ b/auth.conf @@ -6,6 +6,6 @@ server { auth_basic_user_file auth.htpasswd; proxy_pass http://${FORWARD_HOST}:${FORWARD_PORT}; - proxy_read_timeout 900; + proxy_read_timeout ${PROXY_READ_TIMEOUT}; } } From 1519c2f4c7ac81619af0c07668113af7aa847565 Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Tue, 19 Jun 2018 11:03:53 +0200 Subject: [PATCH 4/6] resolver TTL (time to live) set to 30s If the backend changes its IP address, we can adapt to this change --- auth.conf | 6 +++++- launch.sh | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/auth.conf b/auth.conf index ad323d5..e0d1c80 100644 --- a/auth.conf +++ b/auth.conf @@ -1,11 +1,15 @@ server { listen 80 default_server; + resolver $NAMESERVER valid=30s; + + set $backend "http://${FORWARD_HOST}:${FORWARD_PORT}"; + location / { auth_basic "Restricted"; auth_basic_user_file auth.htpasswd; - proxy_pass http://${FORWARD_HOST}:${FORWARD_PORT}; + proxy_pass $backend; proxy_read_timeout ${PROXY_READ_TIMEOUT}; } } diff --git a/launch.sh b/launch.sh index 1ba65b5..de38b86 100755 --- a/launch.sh +++ b/launch.sh @@ -10,8 +10,12 @@ if [ "$RAW_CREDENTIALS" = 1 ]; then ) fi +export NAMESERVER=$(cat /etc/resolv.conf | grep 'nameserver' | awk '{print $2}' | tr '\n' ' ') + rm /etc/nginx/conf.d/default.conf || : -envsubst < auth.conf > /etc/nginx/conf.d/auth.conf + +envsubst '$NAMESERVER,$FORWARD_HOST,$FORWARD_PORT,$PROXY_READ_TIMEOUT' \ + < auth.conf > /etc/nginx/conf.d/auth.conf envsubst < auth.htpasswd > /etc/nginx/auth.htpasswd nginx -g "daemon off;" From cc059475e1f10b0d011f9108b5dabfe73523fc00 Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Tue, 19 Jun 2018 11:18:46 +0200 Subject: [PATCH 5/6] default value for PROXY_READ_TIMEOUT --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b67c326..ad74f2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,8 @@ FROM nginx:alpine ENV HTPASSWD='foo:$apr1$odHl5EJN$KbxMfo86Qdve2FH4owePn.' \ FORWARD_PORT=80 \ - FORWARD_HOST=web + FORWARD_HOST=web \ + PROXY_READ_TIMEOUT=900 WORKDIR /opt From 7437b1fd09fa4419a35316f6f38b4506b3725a1b Mon Sep 17 00:00:00 2001 From: Pavol Vargovcik Date: Tue, 19 Jun 2018 11:27:14 +0200 Subject: [PATCH 6/6] update README (FORWARD_HOST and PROXY_READ_TIMEOUT) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3971a28..9902f4b 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ docker run -d \ ## Configuration - `HTPASSWD` (default: `foo:$apr1$odHl5EJN$KbxMfo86Qdve2FH4owePn.`): Will be written to the .htpasswd file on launch (non-persistent) - `FORWARD_PORT` (default: `80`): Port of the **source** container that should be forwarded +- `FORWARD_HOST` (default: `web`): Host of the **source** container that should be forwarded +- `PROXY_READ_TIMEOUT` (default: `900`): Timeout of the backend response > The container does not need any volumes to be mounted! Nonetheless you will find all interesting files at `/etc/nginx/*`. ## Multiple Users