upmk docs

Basics Commands install secrets deploy dev dyna build generate package pull push filters Templating Dynamic Pages Redirects JSON endpoints Auth Serving Files Editor Templates AddOns Plugins

Auth

There are several mechanisms you can turn to for wrapping your upmk project behind some type of authentication. At a high level the two options are basic authentication, or authentication via an external service (including a dyna app running in the same container). For either route you'll need to bring your own nginx config. You can copy the existing config out of the dockerfiles project

Basic Authentication

Add the following to the root location directive of your nginx config:

location / {
  auth_basic "Credentials Required";
  auth_basic_user_file .htpasswd;

  ...
}

The auth_basic declares that we are going to use basic authentication for this location. The auth_basic_user_file is the path to an htpasswd generated user file.

In your server directive you can add an error page for 401 pages like so:

error_page 401 /401.html;

Also add another location (above the root location) specifically for the 401 page so that it can be viewed independent of the main static files app:

location = /401.html {
  root /usr/src/app/static;
  internal;
}

You'll need to create a 401 page as UpMarkers doesn't build one by default

nginx sub request auth

It's also possible to have nginx do a sub request to verify if the user is allowed to view the currently requested path. In the future we'll put some docs together on how to accomplish this via a dyna-um application (we haven't built one yet). In the meantime here is the basic overview.

Every request gets a subrequest made to an auth endpoint. If that endpoint returns a 200, the original request is fullfilled. If that endpoint returns a 401, you redirect to a signin form on the auth location (you'd need to handle the 401). Our current thinking is to just use htpasswd files with users and brcrypt password hashes to auth against. Consider how verdaccio auth verifies a given password with the hashed / encrypted password in an htpasswd file.

add an auth_request to your root location:

location / {
  auth_request /auth;
  ...
}

add an /auth location:

location = /auth {
    internal;
    proxy_pass              http://auth-server;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
    proxy_set_header        X-Original-URI $request_uri;
}

The current thinking is to make the /auth location point to the dyna-um app

See the nginx docs for details

creating htpasswd

htpasswd is shipped with the apache2-utils. Rather than install it, here is a little form that will create an entry for you using bcrypt encryption:

form