New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx: support basic auth in location blocks #101192
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually I'm a pretty big grump for passwords in the nix store, but if you're doing basic auth you probably aren't using it for real protection anyways... and I'm certainly guilty of having passwords in httpd
configs under /etc
that are world readable (on Debian, at least).
I guess I should whip something together for the httpd
module so I can stay keeping up with the Joneses...
default = null; | ||
description = '' | ||
Basic Auth password file for a vhost. | ||
Can be created via: <command>htpasswd -c <filename> <username></command> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it should be mentioned that the hashes htpasswd produces by default and all the hashes nginx actually understands aren't really considered good for storing passwords anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly so, what would you like the wording to be? Note: these options and their text mirror the vhost-options.nix content.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. I mean, in an ideal world I would like this to say "use htpasswd -B
to create bcrypt hashed passwords", but nginx doesn't support those.
So maybe just something along the lines of: "Warning: The generate file contains the users' passwords in a non-cryptographically-securely hashed way"
nixos/tests/all-tests.nix
Outdated
@@ -243,6 +243,7 @@ in | |||
nfs4 = handleTest ./nfs { version = 4; }; | |||
nghttpx = handleTest ./nghttpx.nix {}; | |||
nginx = handleTest ./nginx.nix {}; | |||
nginx-auth= handleTest ./nginx-auth.nix {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing space
description = '' | ||
Basic Auth password file for a vhost. | ||
Can be created via: <command>htpasswd -c <filename> <username></command> | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
''; | |
WARNING: The generate file contains the users' passwords in a non-cryptographically-securely hashed way | |
''; |
82774da
to
3361a03
Compare
I added that warning and squashed the fixup. Thanks! I'll merge once the PR is green. |
Motivation for this change
Extend the nginx support for basic auth to the location blocks.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)