We have some sites that are only for internal use (documentation wiki, api etc) as well as development and staging servers that are only accessible to certain users. I was looking for an easy way to be able to restrict access to an aegir site using http authentication and stumbled acros this:

http://www.computerminds.co.uk/content/aegir-http-basic-authentication
https://github.com/computerminds/aegir_http_basic

I think this would be a useful addition to Barracuda.

Comments

omega8cc’s picture

omega8cc commented
Status: Active » Needs work
Issue tags: +BOA-todo

Interesting. Marking as todo.

omega8cc’s picture

omega8cc commented
Status: Needs work » Postponed

This module supports only Aegir 1.x code, while BOA is using already 2.x code, so I'm afraid we need to postpone it for now.

hyperglide’s picture

hyperglide commented

@mrfelton -- did you find an alternative solution?

hyperglide’s picture

hyperglide commented
Status: Postponed » Active

Understand that BOA is now using v.2 of the API.

Any suggestions on how best to secure sites?

mrfelton’s picture

mrfelton commented

We use the following in ~/.drush/secure.drush.inc

<?php
  function concern_provision_nginx_vhost_config($uri, $data) {
    $conf = array();
    // Password protect development and staging areas
    if ( preg_match("/(dev|stage)/i", $uri) ) {
      $conf[] = "";
      $conf[] = "   auth_basic 'Hello, please login to $uri';";
      $conf[] = "   auth_basic_user_file /var/aegir/config/includes/.htpasswd;";
      $conf[] = "";
      $conf[] = "";
    }
    return $conf;
  }
hyperglide’s picture

hyperglide commented

@ mrfelton -- Thank you for the reply.

I assume I can edit if ( preg_match("/(dev|stage)/i", $uri) ) { to match our sub-domains. correct?

By putting this code into ~/.drush/secure.drush.inc file?
Does this present any issues for BOA for updates down the road?

Thanks again!
hg

mrfelton’s picture

mrfelton commented

>I assume I can edit if ( preg_match("/(dev|stage)/i", $uri) ) { to match our sub-domains. correct?
Yes, edit that as you see fit. Ours simply password protect any development or staging environments, but you can edit the regex to match specific domains or whever you want.

> Does this present any issues for BOA for updates down the road
I don't see why it would as we are only talking about password protecting sites that are managed by Aegir, not parts of Aegir itself, though I'm probably not fully qualified to answer that.

mrfelton’s picture

mrfelton commented

You can call the file what you want - as long as its in ~/.drush and it ends in .drush.inc.

hyperglide’s picture

hyperglide commented

Thanks for the replies and information..

I looked over my BOA install and found 2 possible locations for the creating the "secure.drush.inc"

Octopus Install -- /data/disk/hg/.drush/
Mater Install -- /var/aegir/.drush

and tried both.

Do I need to call the drush command in the sites folder I want to invoke it on? Or something else to initiate the protection?

Thank you again.

omega8cc’s picture

omega8cc commented
Status: Active » Closed (works as designed)