Can't have more than 1 password protected location

[lukaszkorecki]

tl;dr I want to have more than one application served from / via nginx with basic auth on different ports. At the moment it doesn't seem to be possible.

Details

Given this setup:

 ::nginx::resource::vhost { 'app-1':
   listen_port => 1000,
 }

 ::nginx::resource::location { 'app-1-proxy':
   vhost                => 'app-1',
   location             => '/',
   auth_basic_user_file => '/etc/common-htpasswd',
   auth_basic           => 'app-1',
   proxy                => 'http://app-1-upstream',
 }

 ::nginx::resource::upstream { 'app-1-upstream':
   members => [ 'http://localhost:3000' ]
 }


 ::nginx::resource::vhost { 'app-2':
   listen_port => 2000,
 }

 ::nginx::resource::location { 'app-2-proxy':
   vhost                => 'app-2',
   location             => '/',
   auth_basic_user_file => '/etc/common-htpasswd',
   auth_basic           => 'app-2',
   proxy                => 'http://app-2-upstream',
 }

 ::nginx::resource::upstream { 'app-2-upstream':
   members => [ 'http://localhost:4000' ]
 }

I'm getting an error saying that File[/etc/nginx/__htpasswd] is being created twice. Of course puppet doesn't like that.

The problematic line is here: https://github.com/jfryman/puppet-nginx/blob/a19cb94f2398d0b9609a04db2ec9a0071c565004/manifests/resource/location.pp#L381

Basically location of / gets escaped as _

Seems like the easiest fix would be to just use the path to original password file and use that in generated nginx config.

Is there a reason why it's done this way? Or am I misunderstanding the usage of the resources?

[3flex]

@lukaszkorecki I have opened PR #603 to fix this.

To your point

Seems like the easiest fix would be to just use the path to original password file and use that in generated nginx config.

I agree, but there's a legacy in this module of copying configuration files from other locations to put under the nginx config directory. I plan to change things for the SSL files so they're not copied around, but may expand scope to cover all files that aren't generated by this module itself. Makes for simpler code and less confusion I think.

[lukaszkorecki]

@3flex Sounds good. I completely understand the original approach btw.

Thanks!

[3flex]

I looked more closely at the code, and it turns out that the module copies the file to "${::nginx::config::conf_dir}/${location_sanitized}_htpasswd", but the template references the original file location. So the code being updated currently creates a new file then does nothing with it.

So to fix your issue all that's required is to stop creating that new file. Everything else will continue to work as-is. I'll create a new PR soon.

[schkovich]

I would remove parameters auth_basic and auth_basic_user_file. There is no real value in having those two parameters. Just increased complexity. The same could be achieved using parameter location_custom_cfg. Here is hiera example:

nginx::nginx_locations:
  protected1:
    location: '/protected1/*'
    vhost: 'www.yourdomain.dev'
    location_custom_cfg:
      auth_basic: "Restricted One"
      auth_basic_user_file: "/wherever/you/like/htpasswd1"
  protected2:
    location: '/protected2/*'
    vhost: 'www.yourdomain.dev'
    location_custom_cfg:
      auth_basic: "Restricted Two"
      auth_basic_user_file: "/wherever/you/like/htpasswd2"