Skip to main content
Join the official Python Developers Survey 2018 and win valuable prizes: Start the survey!

devpi-lockdown: tools to enable authentication for read access

Project description

devpi-lockdown: tools to enable authentication for read access

This plugin adds some views to allow locking down read access to devpi.

Only tested with nginx so far.

Installation

devpi-lockdown needs to be installed alongside devpi-server.

You can install it with:

pip install devpi-lockdown

Usage

To lock down read access to devpi, you need a proxy in front of devpi which can use the provided views to limit access.

The views are:

/+authcheck

This returns 200 when the user is authenticated or 401 if not. It uses the regular devpi credential checks and an additional credential check using a cookie provided by devpi-lockdown to allow login with a browser.

/+login

A plain login form to allow access via browsers for use with devpi-web.

/+logout

Drops the authentication cookie.

For nginx the auth_request module is required and the configuration would something look like this:

server {
    ...

    # this redirects to the login view when not logged in
    error_page 401 = @error401;
    location @error401 {
        return 302 /+login;
    }

    # the location to check whether the provided infos authenticate the user
    location = /+authcheck {
        internal;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # pass on /+login without authentication check to allow login
    location = /+login {
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # pass on /+api without authentication check for URL endpoint discovery
    location ~ /\+api$ {
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # use auth_request to lock down all the rest
    location / {
        auth_request /+authcheck;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }
}

If you use the example configuration from devpi-server then you have to add the auth_request check to the file and documentation parts as well.

Changelog

1.0.0 - 2017-03-10

  • initial release

Project details


Release history Release notifications

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
devpi_lockdown-1.0.0-py3-none-any.whl (6.2 kB) Copy SHA256 hash SHA256 Wheel 3 Mar 10, 2017
devpi-lockdown-1.0.0.tar.gz (4.0 kB) Copy SHA256 hash SHA256 Source None Mar 10, 2017

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page