diff --git a/Dockerfile b/Dockerfile index fa605a9..0eb423a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts COPY misc/*.mmdb /etc/nginx/geoip.mmdb COPY fail2ban/ /opt/fail2ban -RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav && \ +RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx diff --git a/README.md b/README.md index ae72509..f5f1cb9 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,31 @@ Values : *yes* | *no* Default value : *yes* If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled. +`USE_AUTH_BASIC` +Values : *yes* | *no* +Default value : *no* +If set to yes, enables HTTP basic authentication at the location `AUTH_BASIC_LOCATION` with user `AUTH_BASIC_USER` and password `AUTH_BASIC_PASSWORD`. + +`AUTH_BASIC_LOCATION` +Values : */* | */subdir/* | *\* +Default value : */* +The location to restrict when `USE_AUTH_BASIC` is set to *yes*. By default, all the website is restricted (*/*). + +`AUTH_BASIC_USER` +Values : *\* +Default value : *changeme* +The username allowed to access `AUTH_BASIC_LOCATION` when `USE_AUTH_BASIC` is set to yes. + +`AUTH_BASIC_PASSWORD` +Values : *\* +Default value : *changeme* +The password of `AUTH_BASIC_USER` when `USE_AUTH_BASIC` is set to yes. + +`AUTH_BASIC_TEXT` +Values : *\* +Default value : *Restricted area* +The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes. + ## ModSecurity `USE_MODSECURITY` Values : *yes* | *no* @@ -345,9 +370,8 @@ ENV WRITE_ACCESS yes ``` # TODO -- Default CSP -- Custom Dockerfile based on bunkerized-nginx -- Auth basic +- Auth basic testing +- Antibot with recaptcha v3 - Documentation - Custom TLS certificates - HSTS preload, HPKP diff --git a/confs/auth-basic.conf b/confs/auth-basic.conf new file mode 100644 index 0000000..1e50479 --- /dev/null +++ b/confs/auth-basic.conf @@ -0,0 +1,4 @@ +location %AUTH_BASIC_LOCATION% { + auth_basic "%AUTH_BASIC_TEXT%"; + auth_basic_user_file /etc/nginx/.htpasswd; +} diff --git a/confs/server.conf b/confs/server.conf index 71ebffe..f2307c0 100644 --- a/confs/server.conf +++ b/confs/server.conf @@ -9,6 +9,7 @@ server { { return 405; } + %AUTH_BASIC% %USE_PHP% %HEADER_SERVER% %X_FRAME_OPTIONS% diff --git a/entrypoint.sh b/entrypoint.sh index 8f3adbc..f99a393 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -94,6 +94,11 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-10}" USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}" USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}" CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}" +USE_AUTH_BASIC="${USE_AUTH_BASIC-no}" +AUTH_BASIC_TEXT="{AUTH_BASIC_TEXT-Restricted area}" +AUTH_BASIC_LOCATION="{AUTH_BASIC_LOCATION-/}" +AUTH_BASIC_USER="{AUTH_BASIC_USER-changeme}" +AUTH_BASIC_PASSWORD="{AUTH_BASIC_PASSWORD-changeme}" # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then @@ -311,6 +316,14 @@ if [ "$SERVE_FILES" = "yes" ] ; then else replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" "" fi +if [ "$USE_AUTH_BASIC" = "yes" ] ; then + replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;" + replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT"; + replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION"; + htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD" +else + replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "" +fi # fail2ban setup if [ "$USE_FAIL2BAN" = "yes" ] ; then