¿nginx/discourse.conf persistente?

Soporte Instalación
1

When I’m using the current default docker install of discourse, ./launcher enter app the container, /etc/nginx/conf.d/discourse.conf contains:

  location / {
    root $public;
    add_header ETag "";

    # auth_basic on;
    # auth_basic_user_file /etc/nginx/htpasswd;

    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {

I would like to enable auth_basic while working on my site, but I frequently end up doing ./launcher rebuild app as there’s inevitably something else to reconfigure or something to change.

Unfortunately, each time this wipes out my basic auth, making my completely private site public. (other people looking at the site are especially interested in how registration for new users will work… so basic auth seems to be the best solution).

I’ve noticed that most of the “customizing nginx” discussion on meta talks about setting up a completely separate nginx instance, which certainly seems like overkill here considering what I want is already in the file, just commented out.

So what’s the right procedure so that my basic auth will survive reboots? Do I make my own pups template in /templates, or use write it at the bottom of my /containers/app.yml in the final ## Any custom commands to run after building run: section?

1 me gusta
2

Better choice can be to run your container behind an nginx reverse proxy to handle the auth_basic

3 Me gusta
3

An alternative is to use pups directives in your app.yml to have the modifications you need applied during rebuild :slight_smile:

5 Me gusta
4

@fefrei thank you for your suggestion and for reading clearly :smile:

5

If anyone else is looking to add auth_basic to their site during development, and make it persistent across ./launcher rebuild app just update your containers/app.yml with:

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic on"
     to: "auth_basic on"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic_user_file /etc/nginx/htpasswd"
     to: "auth_basic_user_file /etc/nginx/htpasswd"
  - file:
     path: "/etc/nginx/htpasswd"
     contents: |
      myuser:$apr1$pVrNvrxt$QvutzMrHfb2IYDNUOk54o0
     # use: `openssl passwd -apr1` to generate password hash

Of course update myuser to be the actual username you want and run openssl passwd -apr1 to generate a hash of your real password.

Or you could install a whole separate instance of nginx and create a reverse proxy just for this… Whichever is easier for you :wink:

9 Me gusta
6

¡Gracias, @ryanerwin! Esto fue de gran ayuda. Si estás contando con que /srv/status funcione por alguna razón, tu solución lo rompe. Así es como permitir que /srv/status se sirva sin auth_basic.

# autenticación básica
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic on"
       to: "auth_basic on"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic_user_file /etc/nginx/htpasswd"
       to: "auth_basic_user_file /etc/nginx/htpasswd"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "location = /srv/status {"
       to: "location = /srv/status {
           auth_basic off;"
    - file:
       path: "/etc/nginx/htpasswd"
       contents: |
        discourse:$apr1$y2JsCAxw$UuDgGdsoXNf.4Rl15Hp2b0

El ejemplo anterior es para el usuario “discourse” y la contraseña “password”; aunque es una mala práctica, solo nos aseguramos de obtener una contraseña que un rastreador no adivine.

También puedes generar una contraseña algo así:

htpasswd -cb password_file user password
cat password_file
2 Me gusta