http basic auth

Dockerfile

@@ -11,7 +11,7 @@ COPY scripts/ /opt/scripts
 COPY misc/*.mmdb /etc/nginx/geoip.mmdb
 COPY fail2ban/ /opt/fail2ban
 
-RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /opt/entrypoint.d && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx

README.md

@@ -155,6 +155,31 @@ Values : *yes* | *no*
 Default value : *yes*  
 If set to yes, nginx will use HTTP2 protocol when HTTPS is enabled.
 
+`USE_AUTH_BASIC`  
+Values : *yes* | *no*  
+Default value : *no*  
+If set to yes, enables HTTP basic authentication at the location `AUTH_BASIC_LOCATION` with user `AUTH_BASIC_USER` and password `AUTH_BASIC_PASSWORD`.
+
+`AUTH_BASIC_LOCATION`  
+Values : */* | */subdir/* | *\<any valid location\>*  
+Default value : */*  
+The location to restrict when `USE_AUTH_BASIC` is set to *yes*. By default, all the website is restricted (*/*).
+
+`AUTH_BASIC_USER`  
+Values : *\<any valid username\>*  
+Default value : *changeme*  
+The username allowed to access `AUTH_BASIC_LOCATION` when `USE_AUTH_BASIC` is set to yes.
+
+`AUTH_BASIC_PASSWORD`  
+Values : *\<any valid password\>*  
+Default value : *changeme*  
+The password of `AUTH_BASIC_USER` when `USE_AUTH_BASIC` is set to yes.
+
+`AUTH_BASIC_TEXT`  
+Values : *\<any valid text\>*  
+Default value : *Restricted area*  
+The text displayed inside the login prompt when `USE_AUTH_BASIC` is set to yes.
+
 ## ModSecurity
 `USE_MODSECURITY`  
 Values : *yes* | *no*  
@@ -345,9 +370,8 @@ ENV WRITE_ACCESS yes
 ```
 
 # TODO
-- Default CSP
+- Auth basic testing
-- Custom Dockerfile based on bunkerized-nginx
+- Antibot with recaptcha v3
-- Auth basic
 - Documentation
 - Custom TLS certificates
 - HSTS preload, HPKP

confs/auth-basic.conf

@@ -0,0 +1,4 @@
+location %AUTH_BASIC_LOCATION% {
+    auth_basic           "%AUTH_BASIC_TEXT%";
+    auth_basic_user_file /etc/nginx/.htpasswd; 
+}

confs/server.conf

@@ -9,6 +9,7 @@ server {
 	{
 		return 405;
 	}
+	%AUTH_BASIC%
 	%USE_PHP%
 	%HEADER_SERVER%
 	%X_FRAME_OPTIONS%

entrypoint.sh

@@ -94,6 +94,11 @@ FAIL2BAN_MAXRETRY="${FAIL2BAN_MAXRETRY-10}"
 USE_CLAMAV_UPLOAD="${USE_CLAMAV_UPLOAD-yes}"
 USE_CLAMAV_SCAN="${USE_CLAMAV_SCAN-yes}"
 CLAMAV_SCAN_REMOVE="${CLAMAV_SCAN_REMOVE-yes}"
+USE_AUTH_BASIC="${USE_AUTH_BASIC-no}"
+AUTH_BASIC_TEXT="{AUTH_BASIC_TEXT-Restricted area}"
+AUTH_BASIC_LOCATION="{AUTH_BASIC_LOCATION-/}"
+AUTH_BASIC_USER="{AUTH_BASIC_USER-changeme}"
+AUTH_BASIC_PASSWORD="{AUTH_BASIC_PASSWORD-changeme}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -311,6 +316,14 @@ if [ "$SERVE_FILES" = "yes" ] ; then
 else
         replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
 fi
+if [ "$USE_AUTH_BASIC" = "yes" ] ; then
+	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" "include /etc/nginx/auth-basic.conf;"
+	replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_TEXT%" "$AUTH_BASIC_TEXT";
+	replace_in_file "/etc/nginx/auth-basic.conf" "%AUTH_BASIC_LOCATION%" "$AUTH_BASIC_LOCATION";
+	htpasswd -b -B -c /etc/nginx/.htpasswd "$AUTH_BASIC_USER" "$AUTH_BASIC_PASSWORD"
+else
+	replace_in_file "/etc/nginx/server.conf" "%AUTH_BASIC%" ""
+fi
 
 # fail2ban setup
 if [ "$USE_FAIL2BAN" = "yes" ] ; then