Persistent nginx/discourse.conf?

When I’m using the current default docker install of discourse, ./launcher enter app the container, /etc/nginx/conf.d/discourse.conf contains:

  location / {
    root $public;
    add_header ETag "";

    # auth_basic on;
    # auth_basic_user_file /etc/nginx/htpasswd;

    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {

I would like to enable auth_basic while working on my site, but I frequently end up doing ./launcher rebuild app as there’s inevitably something else to reconfigure or something to change.

Unfortunately, each time this wipes out my basic auth, making my completely private site public. (other people looking at the site are especially interested in how registration for new users will work… so basic auth seems to be the best solution).

I’ve noticed that most of the “customizing nginx” discussion on meta talks about setting up a completely separate nginx instance, which certainly seems like overkill here considering what I want is already in the file, just commented out.

So what’s the right procedure so that my basic auth will survive reboots? Do I make my own pups template in /templates, or use write it at the bottom of my /containers/app.yml in the final ## Any custom commands to run after building run: section?

1 Like

Better choice can be to run your container behind an nginx reverse proxy to handle the auth_basic

3 Likes

An alternative is to use pups directives in your app.yml to have the modifications you need applied during rebuild :slight_smile:

5 Likes

@fefrei thank you for your suggestion and for reading clearly :smile:

If anyone else is looking to add auth_basic to their site during development, and make it persistent across ./launcher rebuild app just update your containers/app.yml with:

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic on"
     to: "auth_basic on"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic_user_file /etc/nginx/htpasswd"
     to: "auth_basic_user_file /etc/nginx/htpasswd"
  - file:
     path: "/etc/nginx/htpasswd"
     contents: |
      myuser:$apr1$pVrNvrxt$QvutzMrHfb2IYDNUOk54o0
     # use: `openssl passwd -apr1` to generate password hash

Of course update myuser to be the actual username you want and run openssl passwd -apr1 to generate a hash of your real password.

Or you could install a whole separate instance of nginx and create a reverse proxy just for this… Whichever is easier for you :wink:

9 Likes

Thanks, @ryanerwin! This was a big help. If you’re counting on /srv/status to work for some reason, your solution breaks it. Here’s how to allow /srv/status to be served without auth_basic.

# basic auth
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic on"
       to: "auth_basic on"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic_user_file /etc/nginx/htpasswd"
       to: "auth_basic_user_file /etc/nginx/htpasswd"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "location = /srv/status {"
       to: "location = /srv/status {
           auth_basic off;"
    - file:
       path: "/etc/nginx/htpasswd"
       contents: |
        discourse:$apr1$y2JsCAxw$UuDgGdsoXNf.4Rl15Hp2b0

The above example is for user “discourse” and password “password”, though bad practice, we are just making sure that we get a password that a crawler won’t guess.

You can also generate a password something like this:

htpasswd -cb password_file user password
cat password_file
2 Likes