nginx/discourse.conf persistente?

Suporte Instalação
1

When I’m using the current default docker install of discourse, ./launcher enter app the container, /etc/nginx/conf.d/discourse.conf contains:

  location / {
    root $public;
    add_header ETag "";

    # auth_basic on;
    # auth_basic_user_file /etc/nginx/htpasswd;

    location ~* (assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico)$ {

I would like to enable auth_basic while working on my site, but I frequently end up doing ./launcher rebuild app as there’s inevitably something else to reconfigure or something to change.

Unfortunately, each time this wipes out my basic auth, making my completely private site public. (other people looking at the site are especially interested in how registration for new users will work… so basic auth seems to be the best solution).

I’ve noticed that most of the “customizing nginx” discussion on meta talks about setting up a completely separate nginx instance, which certainly seems like overkill here considering what I want is already in the file, just commented out.

So what’s the right procedure so that my basic auth will survive reboots? Do I make my own pups template in /templates, or use write it at the bottom of my /containers/app.yml in the final ## Any custom commands to run after building run: section?

1 curtida
2

Better choice can be to run your container behind an nginx reverse proxy to handle the auth_basic

3 curtidas
3

An alternative is to use pups directives in your app.yml to have the modifications you need applied during rebuild :slight_smile:

5 curtidas
4

@fefrei thank you for your suggestion and for reading clearly :smile:

5

If anyone else is looking to add auth_basic to their site during development, and make it persistent across ./launcher rebuild app just update your containers/app.yml with:

## Any custom commands to run after building
run:
  - exec: echo "Beginning of custom commands"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic on"
     to: "auth_basic on"
  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "# auth_basic_user_file /etc/nginx/htpasswd"
     to: "auth_basic_user_file /etc/nginx/htpasswd"
  - file:
     path: "/etc/nginx/htpasswd"
     contents: |
      myuser:$apr1$pVrNvrxt$QvutzMrHfb2IYDNUOk54o0
     # use: `openssl passwd -apr1` to generate password hash

Of course update myuser to be the actual username you want and run openssl passwd -apr1 to generate a hash of your real password.

Or you could install a whole separate instance of nginx and create a reverse proxy just for this… Whichever is easier for you :wink:

9 curtidas
6

Obrigado, @ryanerwin! Isso foi uma grande ajuda. Se você está contando com /srv/status para funcionar por algum motivo, sua solução o quebra. Veja como permitir que /srv/status seja atendido sem auth_basic.

# autenticação básica
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic on"
       to: "auth_basic on"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "# auth_basic_user_file /etc/nginx/htpasswd"
       to: "auth_basic_user_file /etc/nginx/htpasswd"
    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: "location = /srv/status {"
       to: "location = /srv/status {
           auth_basic off;"
    - file:
       path: "/etc/nginx/htpasswd"
       contents: |
        discourse:$apr1$y2JsCAxw$UuDgGdsoXNf.4Rl15Hp2b0

O exemplo acima é para o usuário “discourse” e a senha “password”, embora seja uma prática ruim, estamos apenas garantindo que tenhamos uma senha que um rastreador não adivinhe.

Você também pode gerar uma senha mais ou menos assim:

htpasswd -cb arquivo_senha usuario senha
cat arquivo_senha
2 curtidas