Commit f3721a50 authored by bunkerity's avatar bunkerity
Browse files

sitewide auth basic

parent b56e4e76
......@@ -10,8 +10,9 @@ Non-exhaustive list of features :
- Integrated ModSecurity WAF with the OWASP Core Rule Set
- Automatic ban of strange behaviors with fail2ban
- Block TOR users, bad user-agents, countries, ...
- Perform automatic DNSBL checks
- Detect bad files with ClamAV
- Based on alpine and compiled from source
- Based on alpine
- Easy to configure with environment variables
# Table of contents
......@@ -291,6 +292,26 @@ Values : *yes* | *no*
Default value : *no*
Is set to yes, will block TOR clients.
`USE_DNSBL`
Values : *yes* | *no*
Default value : *yes*
If set to yes, DNSBL checks will be performed to the servers specified in the `DNSBL_LIST` environment variable.
`DNSBL_LIST`
Values : *\<list of DNS zones separated with spaces\>*
Default value : *bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org*
The list of DNSBL zones to query when `USE_DNSBL` is set to *yes*.
`DNSBL_RESOLVERS`
Values : *\<two IP addresses separated with a space\>*
Default value : *8.8.8.8 8.8.4.4*
The IP addresses of the DNS resolvers to use when `USE_DNSBL` is set to *yes*.
`DNSBL_CACHE`
Values : *\< \>*
Default value : *10m*
The size of the cache used to keep DNSBL responses.
## PHP
`REMOTE_PHP`
Values : *\<any valid IP/hostname\>*
......
auth_basic "%AUTH_BASIC_TEXT%";
auth_basic_user_file /etc/nginx/.htpasswd;
......@@ -113,7 +113,7 @@ USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
AUTH_BASIC_TEXT="${AUTH_BASIC_TEXT-Restricted area}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-/}"
AUTH_BASIC_LOCATION="${AUTH_BASIC_LOCATION-sitewide}"
AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
......@@ -370,9 +370,14 @@ else
replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
fi
if [ "$USE_AUTH_BASIC" = "yes" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
if [ "$AUTH_BASIC_LOCATION" = "sitewide" ] ; then
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic-sitewide.conf;"
replace_in_file "/etc/nginx/auth-basic-sitewide.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
fi
htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
else
replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment