Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx: allow basic auth passwords to be specified in a file #38539

Merged
merged 1 commit into from Apr 25, 2018
Merged

nginx: allow basic auth passwords to be specified in a file #38539

merged 1 commit into from Apr 25, 2018

Conversation

lopsided98
Copy link
Contributor

Motivation for this change

Currently, basic auth passwords must be stored in plain text in the Nix store, which is insecure.

Things done

Adds an option to specify a htpasswd file for basic auth, which may be stored outside of the Nix store. Ideally, we would remove the ability to specify plain text basic auth passwords, and only allow hashed passwords or an external htpasswd, but this PR fixes the biggest issue. This will also check one of the boxes in #24288.

cc @globin

  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

infinisil
infinisil requested changes Apr 8, 2018
View reviewed changes
nixos/modules/services/web-servers/nginx/default.nix Outdated
${optionalString (vhost.basicAuth != {}) (mkBasicAuth vhostName vhost.basicAuth)}
${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) ''
auth_basic secured;
auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else (mkHtpasswd vhostName vhost.basicAuth)};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parentheses aren't needed here.

@matthewbauer
Copy link
Member

@infinisil

Are the revised changes okay to merge?

infinisil
infinisil approved these changes Apr 19, 2018
View reviewed changes
Copy link
Member

@infinisil infinisil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@globin globin merged commit 4d40adb into NixOS:master Apr 25, 2018
@lopsided98 lopsided98 deleted the nginx-basic-auth-file branch May 26, 2018 04:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil infinisil approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@lopsided98 @matthewbauer @infinisil @globin @GrahamcOfBorg