Basic Auth on Nginx server on Elastic Beanstalk - nginx

I am trying to set up basic auth on my elastic beanstalk instance running nodejs, however, I cannot seem to get this working. I have followed this guide Nginx Server on Amazon EC2, but http traffic is still getting through the nginx instance. I think its because the nginx server on the ec2 instance is not the one I need to be altering the virtual.conf file for. I think the nginx server is on another instance entirely, but I cant seem to find it. I think this because when I ping the Domain name for my site its IP is that of the nginx server and not my Elastic IP. Any ideas on how to configure nginx to restrict http and https traffic to my site on Elastic beanstalk?

Although this isn't a direct answer to your question, I had a lot of trouble finding resources for HTTP Basic Authentication for AWS.
I ended up switching from Nginx to Apache and used this configuration in PROJECT_ROOT/.ebextensions/apache.conf:
files:
"/etc/httpd/conf.d/allow_override.conf":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
<Directory /var/app/current/>
AllowOverride AuthConfig
</Directory>
"/etc/httpd/conf.d/auth.conf":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
<Directory /var/app/current/>
AuthType Basic
AuthName "Myproject Prototype"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
"/etc/httpd/.htpasswd":
mode: "000644"
owner: ec2-user
group: ec2-user
encoding: plain
content: |
myusername:mypassword-generated-by-htpasswd
Note, this is not ideal as you end up having password protection in the source code of the repo... But, I couldn't find a better way documented anywhere. I'm currently exploring baking the HTTP Auth into the ec2 instance, saving the instance as an AMI, and using that AMI for the instances that are auto-generated in my beanstalk.
Don't even get me started on HTTP Auth in front of s3 buckets, which is not supported by AWS and requires you point your DNS at a third-party service!

The key factor of managing Elastic Beanstalk's nginx Basic auth is to recognize the conf file is managed by beanstalk, so when you modify it, you need to edit the file in /tmp/deployment/config. All the files in there will be copied to destination, and the destination is calculated by replacing the filename's # character to /. And since the /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf file is not created on the commands step, you need to modify it on the container_commands step.
For me, following worked.
files:
/etc/nginx/.htpasswd:
mode: "000755"
owner: root
group: root
# the content of htpasswd.
# Obtain it by `htpasswd -nb USER PASSWORD`
content: "USER_NAME:HASHED_PASS"
container_commands:
add-basic:
command: |
set -ex
EB_CONFIG_STAGING_DIR=$(/opt/elasticbeanstalk/bin/get-config container -k config_staging_dir)
file_name="${EB_CONFIG_STAGING_DIR}/$(echo /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf | sed -e 's|/|#|g')"
sed -i -e '
/location \// {
s|$|\nauth_basic "Restricted Area";\nauth_basic_user_file /etc/nginx/.htpasswd;|
:loop
n
b loop
}' "$file_name"

Related

NGINX Remote Editing of Configurations

I'm currently running a number of servers, each running NGINX used as reverse proxies to other websites. However, if I need to change a backend IP address or change other variables within NGINX, I need to manually SSH into the server and change the configurations OR log onto NGINX Proxy Manager.
What I'm looking to do is create a central website that will enable me to edit NGINX variables such as 'proxy_pass' and send the updated value to the selected remote server, updating the NGINX config and reloading the service.
Is there any current way to do this and how could I implement that? What comes to mind is some kind of CURL request to the remote server, and then I'm not sure how I'd automatically rewrite the correct portion of NGINX config etc.
Any help would be appreciated!
If you have root access on those servers, all you need is a service or a script that will fill the new values. The simplest way I see fit is to do it with a bash script and a template for the config file.
Template config file: /home/user/nginx_config/nginx.config.sample:
-- your generic config settings
proxy_pass
location /your/location {
proxy_pass {{proxy_pass}};
}
-- rest of standard file
The bash script for filling the template: /home/user/nginx_config/generator.sh
new_ip=$1
template_path="/home/user/nginx_config/nginx.config.sample"
config_path="/etc/nginx/nginx.conf"
if [[ -z $1 ]]
then echo "Missing IP param"; exit;
fi
cp "$config_path" "${config_path}.bak"
sed "s/{{proxy_pass}}/$new_ip/g" "$template_path" > "$config_path"
echo "Done! Updated $config_path file to $1:"
cat "$config_path"
Then, all you need to do is to make a local script to connect using ssh and run the generator script (with 1.2.3.4 as your new IP address)
sshpass -p password ssh -oStrictHostKeyChecking=no -oCheckHostIP=no user#your_server "bash /home/user/nginx_config/generator.sh 1.2.3.4"

Tyk gateway with Nginx and Apache Tomcat 8 (ubuntu 14.04)

Just wondering what I am missing here when trying to create an API with Tyk Dashboard.
My setup is:
Nginx > Apache Tomcat 8 > Java Web Application > (database)
Nginx is already working, redirecting calls to apache tomcat at default port 8080.
Example: tomcat.myserver.com/webapp/get/1
200-OK
I have setup tyk-dashboard and tyk-gateway previously as follows using a custom node port 8011:
Tyk dashboard:
$ sudo /opt/tyk-dashboard/install/setup.sh --listenport=3000 --redishost=localhost --redisport=6379 --mongo=mongodb://127.0.0.1/tyk_analytics --tyk_api_hostname=$HOSTNAME --tyk_node_hostname=http://127.0.0.1 --tyk_node_port=8011 --portal_root=/portal --domain="dashboard.tyk-local.com"
Tyk gateway:
/opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8011 --redishost=127.0.0.1 --redisport=6379 --domain=""
/etc/hosts already configured (not really needed):
127.0.0.1 dashboard.tyk-local.com
127.0.0.1 portal.tyk-local.com
Tyk Dashboard configurations (nothing special here):
API name: foo
Listen path: /foo
API slug: foo
Target URL: tomcat.myserver.com/webapp/
What URI I suppose to call? Is there any setup I need to add in Nginx?
myserver.com/foo 502 nginx
myserver.com:8011/foo does not respond
foo.myserver.com 502 nginx
(everything is running under the same server)
SOLVED:
Tyk Gateway configuration was incorrect.
Needed to add --mongo and remove --domain directives at setup.sh :
/opt/tyk-gateway/install/setup.sh --dashboard=1 --listenport=8011 --redishost=localhost --redisport=6379 --mongo=mongodb://127.0.0.1/tyk_analytics
So, calling curl -H "Authorization: null" 127.0.0.1:8011/foo
I get:
{
"error": "Key not authorised"
}
I am not sure about the /foo path. I think that was previously what the /hello path is. But it appears there is a key not authorized issue. If the call is made using the Gateway API, then the secret value may be missing. It is required when making calls to the gateway (except the hello and reload paths)
x-tyk-authorization: <your-secret>
However, since there is a dashboard present, then I would suggest using the Dashboard APIs to create the API definition instead.

Protect plesk gui 11.5.30 with a "basic auth" box?

Is it possible to protect plesk panel 11.5.30 GUI with a basic auth protection?
11.5.30 use as internal web server nginx. I founded this file:
/etc/nginx/plesk.conf.d/server.conf
but its not allowed to edit:
ATTENTION!
DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
Have here anyone a simple example to add basic auth to plesk GUI?
This is the correct way (original posted by SergeyUgdyzhekov)
# Create /etc/sw-cp-server/conf.d/protect-plesk.inc with content:
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/sw-cp-server/conf.d/passwd;
}
# Generate passwd file
htpasswd -c /etc/sw-cp-server/conf.d/passwd admin
# Set correct permissions:
chown sw-cp-server:psaadm /etc/sw-cp-server/conf.d/passwd
chmod 640 /etc/sw-cp-server/conf.d/passwd
# Restart panel web server
/etc/init.d/sw-cp-server restart
Plesk panel server's config stored in /etc/sw-cp-server/conf.d/plesk.conf
This config /etc/nginx/plesk.conf.d/server.conf it's a config of public web server on port 80.

After deploying my rails 3 app on ec2, it doesnt render my app

I am using capistrano, nginx and passenger to deploy my rails 3 app from github on ec2.
This is my deploy.rb file:
set :application, "my-Blog"
set :repository, "https://github.com/whatever/my-Blog.git"
set :scm, :git
role :app, "ec2 DNS"
role :web, "eec2 DNS"
role :db, "ec2 DNS", :primary => true
set :user, 'ec2-user'
set :deploy_to, "/home/ec2-user/apps/Blog"
set :use_sudo, false
default_run_options[:pty] = true
set :deploy_via, :remote_cache
ssh_options[:keys] = ["#{ENV['HOME']}/.ssh/my-key.pem"]
set :keep_releases, 3
namespace :deploy do
task :start do ; end
task :stop do ; end
task :restart, :roles => :app, :except => { :no_release => true } do
end
end
And when I run the deploy command, everything is fine and my app is on my ec2 under current directory, which means that the capistrano could get my source code from my github.
On my ec2 instance, I have everything set up: ruby, rvm, mysql, rails, nginx, passenger.
But when I go to my ec2 DNS, it doesnt show my app!
Do you have any suggestion what can be wrong? This is my first deploy though!
Thanks for your answer! I expect to see my application! In aws console, I have: 22 (SSH) and 80 (HTTP), which I guess means that port 80 is open. I think there should be something wrong with my nginx configuration file, this is what I have in this file:
user nginx;
server {
listen 80;
server_name ec2-54-242-228-182.compute-1.amazonaws.com;
# root /home/ec2-user/apps/Blog/current/public;
# passenger_enabled on;
}
}
when I comment the root directory, then on the public DNS url it says "Welcome to nginx on the Amazon Linux AMI! You should now put your content in a location of your choice and edit the root configuration directive in the nginx configuration file /etc/nginx/nginx.conf."
and when I uncomment the root directory then gives me 403 error!
The log file says "current/public/index.html" is forbidden (13: Permission denied)"
The answer depends on what you mean by not showing up. If you're getting a default web page, then your webserver might be trying to resolve a name-based virtual host. In that case, try adding the public IP address of your EC2 instance to your local hosts file.
123.456.789.012 domain-nginx-expects.com
If you are getting no response at all from the server, check the processlist and make sure nginx and passenger are running. Also check your EC2 security group for that instance to make sure that port 80 is open. You can also try telnetting to port 80 while logged into your server:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /
Check the port that is in your nginx config whether it's open on your AWS panel.
Check that you can connect to the port using telnet
Check whether you have nginx, passenger running on the server
$ ps -el | grep nginx
Check the nginx access and error logs whether you can see your own activity trying to hit the service.

How do I add new site/server_name in nginx?

I'm just starting to explore nginx on my ubuntu 10.04. I installed nginx and I'm able to get the "Welcome to Nginx" page on localhost. However I'm not able to add a new server_name.
Even when I make the changes in site-available/default. I also tried reloading/restarting nginx, but nothing works.
To build on mark's answer, Debian/Ubuntu distros default configuration file has an include /etc/nginx/sites-enabled/*; directive with site configuration file stored in /etc/nginx/sites-available/, a default site is usually included in that dir.
For examples beyond the default config, follow nginx beginner's guide or see wiki.nginx.org for more details.
After creating a new configuration in sites-available, create a symbolic link with this command, assuming that your conf file is named "myapp" and nginx is at /etc/nginx (could also be at /usr/local/etc/nginx):
ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/myapp
By the way, you could always create your conf file directly in sites-enabled but the recommended way above allows you to "enable and disable" sites on the server very quickly without actually moving/deleting your conf files.
P.S: Don't trust the tutorials: check your configuration!
P.P.S: You can use the command nginx -t to test your sites conf and nginx -s reload to reload the conf.
The usual way to add another site in Nginx in Ubuntu is to copy the sites-available/default file to sites-available/new-site-name, then create a symbolic link in sites-enabled to sites-available/new-site-name.
In the new configuration file, you need to edit the listen and server directives. Use listen to specify the IP address and port, and the server directive to specify the hostnames. For more details, see HttpCoremodule.

Resources