Basic HTTP auth on nginx.

Originally from dols/chef-jenkins. Based on heavywater#21
atomic-penguin · Dec 2, 2012 · 5efbdb8 · 5efbdb8
1 parent 1e8d3ff
commit 5efbdb8
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -75,15 +75,15 @@ Attributes
 * jenkins['node']['ssh_private_key'] - jenkins master defaults to: `~/.ssh/id_rsa` (created by the default recipe)
 * jenkins['node']['jvm_options'] - SSH slave JVM options
 * jenkins['iptables_allow'] - if iptables is enabled, add a rule passing 'jenkins['server']['port']'
-* jenkins['nginx']['http_proxy']['variant'] - use `nginx` or `apache2` to proxy traffic to jenkins backend (`nil` by default)
+* jenkins['http_proxy']['variant'] - use `nginx` or `apache2` to proxy traffic to jenkins backend (`nil` by default)
 * jenkins['http_proxy']['www_redirect'] - add a redirect rule for 'www.*' URL requests ("disable" by default)
 * jenkins['http_proxy']['listen_ports'] - list of HTTP ports for the HTTP proxy to listen on ([80] by default)
 * jenkins['http_proxy']['host_name'] - primary vhost name for the HTTP proxy to respond to (`node['fqdn']` by default)
 * jenkins['http_proxy']['host_aliases'] - optional list of other host aliases to respond to (empty by default)
 * jenkins['http_proxy']['client_max_body_size'] - max client upload size ("1024m" by default, nginx only)
-* jenkins['http_proxy']['basic_auth'] - boolean, whether basic auth gets enabled in proxy_apache2 or not. (default true)
-* jenkins['http_proxy']['basic_auth_username'] - used in the proxy_apache2 recipe, (default jenkins)
-* jenkins['http_proxy']['basic_auth_password'] - used in the proxy_apache2 recipe, (defualt jenkins)
+* jenkins['http_proxy']['basic_auth'] - boolean, whether basic auth gets enabled in proxy_apache2/proxy_nginx or not. (default true)
+* jenkins['http_proxy']['basic_auth_username'] - used in the proxy_apache2/proxy_nginx recipe, (default jenkins)
+* jenkins['http_proxy']['basic_auth_password'] - used in the proxy_apache2/proxy_nginx recipe, (defualt jenkins)
 
 Usage
 =====

diff --git a/recipes/proxy_nginx.rb b/recipes/proxy_nginx.rb
@@ -19,7 +19,7 @@
 # limitations under the License.
 #
 
-include_recipe "nginx::source"
+include_recipe "nginx"
 
 if node['jenkins']['http_proxy']['www_redirect'] == "enable"
   www_redirect = true
@@ -29,6 +29,15 @@
 
 host_name = node['jenkins']['http_proxy']['host_name'] || node['fqdn']
 
+template "#{node['nginx']['dir']}/htpasswd" do
+  variables( :username => node['jenkins']['http_proxy']['basic_auth_username'],
+             :password => node['jenkins']['http_proxy']['basic_auth_password'])
+  owner node['nginx']['user']
+  group node['nginx']['group']
+  mode 0600
+  only_if { node['jenkins']['http_proxy']['basic_auth'] }
+end
+
 template "#{node['nginx']['dir']}/sites-available/jenkins.conf" do
   source      "nginx_jenkins.conf.erb"
   owner       'root'
@@ -43,7 +52,7 @@
   )
 
   if File.exists?("#{node['nginx']['dir']}/sites-enabled/jenkins.conf")
-    notifies  :restart, 'service[nginx]'
+    notifies  :reload, 'service[nginx]', :immediately
   end
 end
 

diff --git a/templates/default/nginx_jenkins.conf.erb b/templates/default/nginx_jenkins.conf.erb
@@ -26,6 +26,10 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
+    <% if node['jenkins']['http_proxy']['basic_auth'] -%>
+    auth_basic            "Restricted";
+    auth_basic_user_file  <%= File.join(node['nginx']['dir'], 'htpasswd') %>;
+    <% end -%>
   }
 
   error_log         <%= node['nginx']['log_dir'] %>/jenkins-error.log;