nginx: Setup Nginx with authentification

Also, publish connection information to SlapOS /cc @jerome, @romain, @rafael /reviewed-on nexedi/slapos!140

nginx: Setup Nginx with authentification
Also, publish connection information to SlapOS /cc @jerome, @romain, @rafael /reviewed-on nexedi/slapos!140
cfeb208e · Gabriel Monnerat · Gabriel Monnerat · 8ca0faf9 · cfeb208e · cfeb208e
Commit cfeb208e authored Mar 07, 2017 by Gabriel Monnerat Committed by Gabriel Monnerat Mar 10, 2017
3 changed files
--- a/software/nginx-push-stream/instance-nginx.cfg.in
+++ b/software/nginx-push-stream/instance-nginx.cfg.in
-{% set part_list = [] -%}
-{% set crontab_line_list = [] -%}
+[buildout]
+parts =
+  nginx-service
+  htpasswd
+  htpasswd-runner
+  publish-connection-information
+
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+offline = true
+
 [directory]
 recipe = slapos.cookbook:mkdirectory
 etc = $${buildout:directory}/etc
@@ -35,23 +44,35 @@ error_log = $${directory:log}/nginx-error.log
 ip = $${slap-network-information:global-ipv6}
 local_ip = $${slap-network-information:local-ipv4}
 port = 9443
+publisher_location_prefix = /pub
 publisher_push_stream_store_messages = off
 publisher_client_max_body_size = 16k
 publisher_client_body_buffer_size = 16k
+
 subscriber_allow_origin = '*'
+subscriber_location_prefix = /sub
 # Prevent to use credential if origin is star
 subscriber_allow_credential = 'false'
 subscriber_allow_methods = 'GET, HEAD, OPTIONS'
 subscriber_allow_headers = 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'

-# Add parts generated by template
-[buildout]
-parts =
-  nginx-service
-{% for part in part_list -%}
-{{ '    %s' % part }}
-{% endfor -%}
+[htpasswd]
+recipe = slapos.cookbook:generate.password
+storage-path = $${directory:etc}/.pwd
+bytes = 8

-eggs-directory = ${buildout:eggs-directory}
-develop-eggs-directory = ${buildout:develop-eggs-directory}
-offline = true
+[htpasswd-runner]
+recipe = plone.recipe.command
+stop-on-error = true
+htpasswd-path = $${directory:etc}/.htpasswd
+command = if [ ! -f "$${:htpasswd-path}" ]; then ${buildout:bin-directory}/htpasswd -cb $${:htpasswd-path} $${:user} $${:password}; fi
+update-command = $${:command}
+user = admin
+password = $${htpasswd:passwd}
+
+[publish-connection-information]
+recipe = slapos.cookbook:publish
+init-password = $${htpasswd:passwd}
+init-user = $${htpasswd-runner:user}
+publisher-url = http://$${htpasswd-runner:user}:$${htpasswd:passwd}@[$${nginx-configuration:ip}]:$${nginx-configuration:port}$${nginx-configuration:publisher_location_prefix}
+subscriber-url = http://$${htpasswd-runner:user}:$${htpasswd:passwd}@[$${nginx-configuration:ip}]:$${nginx-configuration:port}$${nginx-configuration:subscriber_location_prefix}
--- a/software/nginx-push-stream/software.cfg
+++ b/software/nginx-push-stream/software.cfg
 [buildout]
-
 extends = 
  ../../stack/slapos.cfg
  ../../component/dash/buildout.cfg
@@ -13,6 +12,10 @@ parts =
  template-nginx-service
  template-nginx

+[slapos-cookbook]
+eggs +=
+  slapos.toolbox
+
 [template]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance.cfg.in
@@ -30,17 +33,17 @@ mode = 0644
 [template-nginx-configuration]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/template-nginx.cfg.in
-md5sum = 58cd6a59089ab93bb3ec0f5d12888500
+md5sum = f5658154b82282bc1871f18ddf4529d8
 output = ${buildout:directory}/template-nginx.cfg.in
 mode = 0644

 [template-nginx]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-nginx.cfg.in
-md5sum = 478085d0abb0ffc0b259c038bddae205
+md5sum = 936fea88f5548c4f14e287f1b27dc127
 output = ${buildout:directory}/instance-nginx.cfg.in
 mode = 0644

 [versions]
-plone.recipe.command = 1.1
 slapos.recipe.template = 2.7
+slapos.toolbox = 0.65
--- a/software/nginx-push-stream/template-nginx.cfg.in
+++ b/software/nginx-push-stream/template-nginx.cfg.in
@@ -65,12 +65,15 @@ server {
  client_body_temp_path $${directory:varnginx} 1 2;
  proxy_temp_path $${directory:varnginx} 1 2;

+  auth_basic           "Nginx Access";
+  auth_basic_user_file $${htpasswd-runner:htpasswd-path};
+
  ## Serve an error 204 (No Content) for favicon.ico
  location = /favicon.ico {
    return 204;
  }

-  location /pub {
+  location $${nginx-configuration:publisher_location_prefix} {
            push_stream_publisher;

            push_stream_channels_path               $arg_id;
@@ -85,7 +88,7 @@ server {

   }

-   location ~ /sub/(.*) {
+   location ~ $${nginx-configuration:subscriber_location_prefix}/(.*) {
            # activate subscriber mode for this location
            add_header "Access-Control-Allow-Origin" $${nginx-configuration:subscriber_allow_origin};
            add_header 'Access-Control-Allow-Credentials' $${nginx-configuration:subscriber_allow_credential};