CODEWITHSUNDEEP
dockernginxamazon-elastic-beanstalkbasic-authentication
nerdinand
nerdinand

Reputation: 876

How do I configure HTTP basic auth on an Elastic Beanstalk Docker environment?

I'm trying to configure HTTP basic authentication on an EB deployment that uses Docker. I followed this post: http://sarahcassady.com/2016/09/18/deploy-aws-eb-app-with-auth-and-ssl/ But that approach only seems to work with regular EB deployments, not with docker. I get the following error message in the AWS EB console:

[2018-08-06T14:15:35.874Z] ERROR [26161] : Command execution failed: Activity failed. (ElasticBeanstalk::ActivityFatalError)
caused by: nginx: [warn] duplicate MIME type "text/html" in /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf:11
  nginx: [emerg] host not found in upstream "my_app" in /etc/nginx/conf.d/dev.conf:5
  nginx: configuration file /etc/nginx/nginx.conf test failed
   (ElasticBeanstalk::ExternalInvocationError)

Upvotes: 2

Views: 3363

Answers (2)

Jeremie
Jeremie

Reputation: 1307

I think AWS EB updated its configuration because I tried both the solutions from nerdinand and this article updated in February 2019 without success.

I found out that the nginx configuration is now created from this template file which can be extended, but leaves no space to add basic http authentication (unless I missed something): /opt/elasticbeanstalk/config/private/nginx/nginx.template

[...]
 include  conf.d/*.conf;

    map $http_upgrade $connection_upgrade {
            default       "upgrade";
    }

    server {
        listen {{.InstancePort}} default_server;
        gzip on;
        gzip_comp_level 4;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        access_log    /var/log/nginx/access.log main;

        location / {
            proxy_pass            http://docker;
            proxy_http_version    1.1;

            proxy_set_header    Connection             $connection_upgrade;
            proxy_set_header    Upgrade                $http_upgrade;
            proxy_set_header    Host                   $host;
            proxy_set_header    X-Real-IP              $remote_addr;
            proxy_set_header    X-Forwarded-For        $proxy_add_x_forwarded_for;
        }

        # Include the Elastic Beanstalk generated locations
        include conf.d/elasticbeanstalk/*.conf;
[...]

So I came up with this hack: add this script in .ebextensions which updates the template directly and adds those 2 lines in server{location{ right after $proxy_add_x_forwarded_for;

   auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;

.ebextensions/01-http_basic_auth_mlflow.config

files:
  /etc/nginx/.htpasswd:
    mode: "000755"
    owner: root
    group: root
    content: |
      mlflow:$apr1$f3D.agib$OUM5soeHzMazKYYRRWXQW/

  /tmp/nginx_auth.sh:
    mode: "000777"
    content: |
        match=$(grep Restricted /opt/elasticbeanstalk/config/private/nginx/nginx.template)
        if [ -z "$match" ];
        then
            sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n   auth_basic "Restricted";\n    auth_basic_user_file \/etc\/nginx\/.htpasswd;/' /opt/elasticbeanstalk/config/private/nginx/nginx.template
        fi

container_commands:
  01nginx_auth:
    command: "sudo /tmp/nginx_auth.sh"

Upvotes: 0

nerdinand
nerdinand

Reputation: 876

I got it to work with the following .ebextensions/01-http_basic_auth.config file:

files:
  /etc/nginx/.htpasswd:
    mode: "000755"
    owner: root
    group: root
    content: |
      username:$apr1$k5WkOMBL$0FZNIWOLQMsHJAOREjemC/

  /etc/nginx/conf.d/dev.conf:
    mode: "000755"
    owner: root
    group: root
    content: |
      server {
        listen       80;
        server_name  localhost;
        location / {
          proxy_pass        http://docker;
          proxy_set_header  Host $host;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }

  /tmp/deployment/nginx_auth.sh:
    mode: "000755"
    content: |
      sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n   auth_basic "Restricted";\n    auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /etc/nginx/conf.d/dev.conf

container_commands:
  01nginx_auth:
    command: "/tmp/deployment/nginx_auth.sh"
  02restart_nginx:
    command: "service nginx restart"

Note: The problem was that when deploying with Docker on EB, proxy_pass must be set to http://docker; instead of http://my_app;

Upvotes: 4

Related Questions