http basic auth
This commit is contained in:
parent
8561d47be0
commit
caa415e126
|
@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts
|
|||
COPY misc/*.mmdb /etc/nginx/geoip.mmdb
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
30
README.md
30
README.md
|
@ -155,6 +155,31 @@ Values : *yes* | *no*
|
|||
Default value : *yes*
|
||||
If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
|
||||
|
||||
`USE_AUTH_BASIC`
|
||||
Values : *yes* | *no*
|
||||
Default value : *no*
|
||||
If set to yes, enables HTTP basic authentication at the location `AUTH_BASIC_LOCATION` with user `AUTH_BASIC_USER` and password `AUTH_BASIC_PASSWORD`.
|
||||
|
||||
`AUTH_BASIC_LOCATION`
|
||||
Values : */* | */subdir/* | *\<any valid location\>*
|
||||
Default value : */*
|
||||
The location to restrict when `USE_AUTH_BASIC` is set to *yes*. By default, all the website is restricted (*/*).
|
||||
|
||||
`AUTH_BASIC_USER`
|
||||
Values : *\<any valid username\>*
|
||||
Default value : *changeme*
|
||||
The username allowed to access `AUTH_BASIC_LOCATION` when `USE_AUTH_BASIC` is set to yes.
|
||||
|
||||
`AUTH_BASIC_PASSWORD`
|
||||
Values : *\<any valid password\>*
|
||||
Default value : *changeme*
|
||||
The password of `AUTH_BASIC_USER` when `USE_AUTH_BASIC` is set to yes.
|
||||
|
||||
`AUTH_BASIC_TEXT`
|
||||
Values : *\<any valid text\>*
|
||||
Default value : *Restricted area*
|
||||
The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
|
||||
|
||||
## ModSecurity
|
||||
`USE_MODSECURITY`
|
||||
Values : *yes* | *no*
|
||||
|
@ -345,9 +370,8 @@ ENV WRITE_ACCESS yes
|
|||
```
|
||||
|
||||
# TODO
|
||||
- Default CSP
|
||||
- Custom Dockerfile based on bunkerized-nginx
|
||||
- Auth basic
|
||||
- Auth basic testing
|
||||
- Antibot with recaptcha v3
|
||||
- Documentation
|
||||
- Custom TLS certificates
|
||||
- HSTS preload, HPKP
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
location %AUTH_BASIC_LOCATION% {
|
||||
auth_basic "%AUTH_BASIC_TEXT%";
|
||||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||||
}
|
|
@ -9,6 +9,7 @@ server {
|
|||
{
|
||||
return 405;
|
||||
}
|
||||
%AUTH_BASIC%
|
||||
%USE_PHP%
|
||||
%HEADER_SERVER%
|
||||
%X_FRAME_OPTIONS%
|
||||
|
|
|
@ -94,6 +94,11 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-10}"
|
|||
USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
|
||||
USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
|
||||
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
|
||||
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
|
||||
AUTH_BASIC_TEXT="{AUTH_BASIC_TEXT-Restricted area}"
|
||||
AUTH_BASIC_LOCATION="{AUTH_BASIC_LOCATION-/}"
|
||||
AUTH_BASIC_USER="{AUTH_BASIC_USER-changeme}"
|
||||
AUTH_BASIC_PASSWORD="{AUTH_BASIC_PASSWORD-changeme}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -311,6 +316,14 @@ if [ "$SERVE_FILES" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
|
||||
fi
|
||||
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
|
||||
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
|
||||
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
|
||||
htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
|
||||
fi
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
|
|
Loading…
Reference in New Issue