diff options
author | Graham Christensen <graham@grahamc.com> | 2020-11-02 09:44:54 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-02 09:44:54 -0500 |
commit | 75a2bc94fae0afd09b5947033592512fe382e488 (patch) | |
tree | 187b12ea59c9e41928ad5b69ed37e3279b6be4c5 /nixos/modules/services | |
parent | 0eb5f0222325f9cf9942385f8017491651460ec6 (diff) | |
parent | 3361a037b9c29254b611de76dbc14bded60a3bd8 (diff) | |
download | nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar.gz nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar.bz2 nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar.lz nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar.xz nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.tar.zst nixpkgs-75a2bc94fae0afd09b5947033592512fe382e488.zip |
Merge pull request #101192 from grahamc/nixpkgs-location-basic-auth
nginx: support basic auth in location blocks
Diffstat (limited to 'nixos/modules/services')
3 files changed, 45 insertions, 7 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index c0c2f27a00e..e9630d379f3 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -261,10 +261,7 @@ let ssl_trusted_certificate ${vhost.sslTrustedCertificate}; ''} - ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' - auth_basic secured; - auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth}; - ''} + ${mkBasicAuth vhostName vhost} ${mkLocations vhost.locations} @@ -293,9 +290,19 @@ let ${optionalString (config.return != null) "return ${config.return};"} ${config.extraConfig} ${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"} + ${mkBasicAuth "sublocation" config} } '') (sortProperties (mapAttrsToList (k: v: v // { location = k; }) locations))); - mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" ( + + mkBasicAuth = name: zone: optionalString (zone.basicAuthFile != null || zone.basicAuth != {}) (let + auth_file = if zone.basicAuthFile != null + then zone.basicAuthFile + else mkHtpasswd name zone.basicAuth; + in '' + auth_basic secured; + auth_basic_user_file ${auth_file}; + ''); + mkHtpasswd = name: authDef: pkgs.writeText "${name}.htpasswd" ( concatStringsSep "\n" (mapAttrsToList (user: password: '' ${user}:{PLAIN}${password} '') authDef) diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix index 3d9e391ecf2..f2fc0725572 100644 --- a/nixos/modules/services/web-servers/nginx/location-options.nix +++ b/nixos/modules/services/web-servers/nginx/location-options.nix @@ -9,6 +9,34 @@ with lib; { options = { + basicAuth = mkOption { + type = types.attrsOf types.str; + default = {}; + example = literalExample '' + { + user = "password"; + }; + ''; + description = '' + Basic Auth protection for a vhost. + + WARNING: This is implemented to store the password in plain text in the + Nix store. + ''; + }; + + basicAuthFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Basic Auth password file for a vhost. + Can be created via: <command>htpasswd -c <filename> <username></command>. + + WARNING: The generate file contains the users' passwords in a + non-cryptographically-securely hashed way. + ''; + }; + proxyPass = mkOption { type = types.nullOr types.str; default = null; diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index 455854e2a96..cf211ea9a71 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -198,7 +198,7 @@ with lib; Basic Auth protection for a vhost. WARNING: This is implemented to store the password in plain text in the - nix store. + Nix store. ''; }; @@ -207,7 +207,10 @@ with lib; default = null; description = '' Basic Auth password file for a vhost. - Can be created via: <command>htpasswd -c <filename> <username></command> + Can be created via: <command>htpasswd -c <filename> <username></command>. + + WARNING: The generate file contains the users' passwords in a + non-cryptographically-securely hashed way. ''; }; |