Add basic auth support

dnplkndll · Nov 2, 2016 · 507b7c2 · 507b7c2
1 parent 1905339
commit 507b7c2
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -68,6 +68,11 @@ nginx_http_gzip_disable: 'msie6'
 #     - 'auth_http_header X-Auth-Key "secret_string"'
 nginx_http_directives: []
 
+# Configure 0 or more basic auth logins, for example:
+#  nginx_basic_auth:
+#    - { user: 'nick', password: 'insecurepassword' }
+nginx_basic_auth: []
+
 # How many bits should we use to generate a dhparam?
 # Technically 2048 is 'good enough' but 4096 combined with a few other
 # things will get you to a perfect 100 A+ SSL rating, do not go below 2048.
@@ -145,6 +150,10 @@ nginx_default_sites:
     # If you want to override the default / location's try_files, this is the
     # place to do it. This could be useful for php-fpm based virtual hosts.
     custom_root_location_try_files: ''
+    # Is basic auth enabled for this virtual host?
+    basic_auth: False
+    # A 1 line message to show during the authentication required dialog.
+    basic_auth_message: 'Please sign in.'
     disallow_hidden_files:
       # Block all hidden files and directories, disable at your own risk.
       enabled: True
@@ -210,13 +219,17 @@ Let's say you want to accomplish the following goals:
 - Set up an upstream to serve a back-end using your web framework of choice
 - Load balance between 2 upstream servers
 - Configure a blog sub-domain with assets being served by a CDN
+- Password protect the blog because who needs visitors!
 
 Start by opening or creating `group_vars/app.yml` which is located relative
 to your `inventory` directory and then making it look like this:
 
 ```
 ---
 
+nginx_basic_auth:
+  - { user: 'coolperson', password: 'heylookatmeicanviewtheprivateblog' }
+
 nginx_sites:
   default:
     domains: ['example.com', 'www.example.com']
@@ -228,6 +241,7 @@ nginx_sites:
     domains: ['blog.example.com']
     serve_assets:
       enabled: False
+    basic_auth: True
 ```
 
 ## Installation

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -22,6 +22,8 @@ nginx_http_gzip: 'on'
 nginx_http_gzip_disable: 'msie6'
 nginx_http_directives: []
 
+nginx_basic_auth: []
+
 nginx_ssl_dhparam_bits: 2048
 
 nginx_default_sites:
@@ -55,6 +57,8 @@ nginx_default_sites:
       expires: 'max'
     custom_locations: ''
     custom_root_location_try_files: ''
+    basic_auth: False
+    basic_auth_message: 'Please sign in'
     disallow_hidden_files:
       enabled: True
     upstreams: []

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,5 +1,11 @@
 ---
 
+- name: Install role dependencies
+  apt:
+    name: 'python-passlib'
+    state: 'present'
+  when: nginx_basic_auth
+
 - name: Install nginx
   apt:
     name: 'nginx'
@@ -69,6 +75,16 @@
   notify:
     - Test nginx and restart
 
+- name: Create basic auth entries
+  htpasswd:
+    path: '/etc/nginx/.htpasswd'
+    name: '{{ item.user }}'
+    password: '{{ item.password }}'
+    group: 'root'
+    owner: 'root'
+    mode: '0644'
+  with_items: '{{ nginx_basic_auth }}'
+
 - name: Configure sites-enabled (vhosts)
   template:
     src: 'etc/nginx/sites-available/default.conf.j2'

diff --git a/templates/etc/nginx/sites-available/default.conf.j2 b/templates/etc/nginx/sites-available/default.conf.j2
@@ -104,6 +104,10 @@ server {
     try_files {{ item.custom_root_location_try_files }};
 {% else %}
     try_files $uri $uri.html $uri/{{ (' @' + item.upstreams[0].name) if (item.upstreams) else '' }} =404;
+{% endif %}
+{% if item.basic_auth | bool %}
+    auth_basic "{{ item.basic_auth_message }}";
+    auth_basic_user_file /etc/nginx/.htpasswd;
 {% endif %}
   }
 {% if item.upstreams %}