Skip to main content

devpi-lockdown: tools to enable authentication for read access

Project description

devpi-lockdown: tools to enable authentication for read access

This plugin adds some views to allow locking down read access to devpi.

Only tested with nginx so far.

Installation

devpi-lockdown needs to be installed alongside devpi-server.

You can install it with:

pip install devpi-lockdown

Usage

To lock down read access to devpi, you need a proxy in front of devpi which can use the provided views to limit access.

The views are:

/+authcheck

This returns 200 when the user is authenticated or 401 if not. It uses the regular devpi credential checks and an additional credential check using a cookie provided by devpi-lockdown to allow login with a browser.

/+login

A plain login form to allow access via browsers for use with devpi-web.

/+logout

Drops the authentication cookie.

For nginx the auth_request module is required. You should use the devpi-genconfig script to generate your nginx configuration. With devpi-server 6.0.0 or newer an nginx-devpi-lockdown.conf should have been generated. If not, then you need to add the following to your server block before the first location block:

# this redirects to the login view when not logged in
recursive_error_pages on;
error_page 401 = @error401;
location @error401 {
    return 302 /+login?goto_url=$request_uri;
}

# lock down everything by default
auth_request /+authcheck;

# the location to check whether the provided infos authenticate the user
location = /+authcheck {
    internal;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-outside-url $scheme://$http_host;  # copy the value from your existing configuration
    proxy_set_header X-Real-IP $remote_addr;  # copy the value from your existing configuration
    proxy_pass http://localhost:3141;  # copy the value from your existing configuration
}

Changelog

2.0.0 - 2021-05-16

  • Dropped Python 2.7, 3.4 and 3.5 support.

  • Support for devpi-server 6.0.0.

  • Redirect back to original URL after login.

  • With devpi-server 6.0.0 the devpi-gen-config script creates a nginx-devpi-lockdown.conf.

  • Automatically allow locations required for login page.

  • Show error message for invalid credentials.

  • Support Pyramid 2.0.

1.0.1 - 2018-11-16

  • Fix import for Pyramid >= 1.10.0.

  • Add /+static to configuration

  • Lock down everything by default in the configuration and only allow the necessary locations

1.0.0 - 2017-03-10

  • initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devpi-lockdown-2.0.0.tar.gz (14.1 kB view hashes)

Uploaded Source

Built Distribution

devpi_lockdown-2.0.0-py2.py3-none-any.whl (7.1 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page