All geek questions in one place

Password Protection AWS Node EB Application

I have a Node Elastic Beanstalk app and it works (although ELB). Now this is just an AWS Node application on the server. Since this is a development server, before I can push my actual code to the server, I need to password protect all of this (this needs to be used to check clients, etc.).

I have a lot of problems trying to figure out how to do this. It seems that the application code has fallen into /var/app/ , and in /var/www/html/ (without hidden files) there is nothing where I usually set up the htaccess file. It uses a nginx proxy, which I have never used, and I'm not quite sure how the files will be served.

What is the best way to block this server? Security groups? Htaccess? Something else?

+6
source share
3 answers

Security groups will only be blocked based on the source IP address, and htaccess is not supported by nginx. Instead, they support this configuration:

 server { ... auth_basic "closed website"; auth_basic_user_file conf/htpasswd; }

But for this you will need to use elastic beanstalk .ebextensions to change the default nginx configuration. It's not easy.

The fastest way for you is probably to support HTTP authentication in the node application itself. There are many guides about this, but here is one: http://www.sitepoint.com/http-authentication-in-node-js/

+2
source

In your Node.js Beanstalk application, your instances will have their own /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf file as follows:

 server { listen 8080; location / { proxy_pass http://nodejs; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } gzip on; }

What you need is to configure it as follows:

 server { listen 8080; location / { proxy_pass http://nodejs; proxy_set_header Connection ""; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; } gzip on; }

With a separate password file in /etc/nginx/.htpasswd that contains your credentials.

STEP 1: Go to the local linux environment and enter

 sudo htpasswd -c .htpasswd someusernameofyourchoice

go to this .htpasswd file and pull out the username and password string that you created. It will look something like this:

 someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 2:

Now in the root directory of your node application (where your .git / directory is located) create a hidden directory called .ebextensions /

go to the .ebextensions / directory, since you will need to make 2 files.

STEP 3:

The first file will be the configuration file that your .htpasswd file will generate in your beanstalk application. Put the username and password that you created earlier in this file and name it like this:

00_nginx_htpasswd.config

 files: "/etc/nginx/.htpasswd" : mode: "000755" owner: root group: root content: | someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 4:

The second file you create in your .ebextensions / directory will update the 00_elastic_beanstalk_proxy.conf file on your elastic beanstalk environment. The name is as follows:

01_nginx_auth.config

 files: /tmp/deployment/nginx_auth.sh: mode: "000755" content: | sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n auth_basic "Restricted";\n auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf container_commands: nginx_auth: command: "/tmp/deployment/nginx_auth.sh"

NOTE. If you want password protection to be in a specific environment, such as a development environment. You can transfer the environment variable to your environment (in the configuration panel> Software configurations in the beanstalk toolbar), and then you can add a condition to this file command, which checks this environment variable before running it. In this way, you can password protect your development environment by leaving the free working environment for public access. Since you put everything in git to push it to your beanstalk environment, this is very convenient. The following is a modified file with these additions:

01_nginx_auth.config

 files: /tmp/deployment/nginx_auth.sh: mode: "000755" content: | if [ "$NODE_ENV" == "development" ]; then sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n auth_basic "Restricted";\n auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf fi container_commands: nginx_auth: command: "/tmp/deployment/nginx_auth.sh"

STEP 5:

Once you have both of these files created in your .ebextensions / directory, copy them and push on your elastic beanstalk. You will now be prompted to enter the username and password combination generated in step 1.

+15
source

If you use Express.js , you can add lightweight middleware using the basic-auth package . In my case, all I needed was a single username and password to block the site from the public. This was the easiest solution for this scenario when using the Node.js server on an elastic beanstalk.

 var auth = require('basic-auth'); app.use(function(req, res, next) { var credentials = auth(req); if (!credentials || credentials.name !== 'buster' || credentials.pass !== 'getinfree') { res.statusCode = 401; res.setHeader('WWW-Authenticate', 'Basic realm="example"'); res.end('Access denied.'); } else { next(); } });

Please note that this solution requires adding code to your Node application, and not directly interfering with nginx.

0
source

Source: https://habr.com/ru/post/972040/

More articles:


All Articles