Skip to main content

devpi-lockdown: tools to enable authentication for read access

Project description

devpi-lockdown: tools to enable authentication for read access

This plugin adds some views to allow locking down read access to devpi.

Only tested with nginx so far.

Installation

devpi-lockdown needs to be installed alongside devpi-server.

You can install it with:

pip install devpi-lockdown

Usage

To lock down read access to devpi, you need a proxy in front of devpi which can use the provided views to limit access.

The views are:

/+authcheck

This returns 200 when the user is authenticated or 401 if not. It uses the regular devpi credential checks and an additional credential check using a cookie provided by devpi-lockdown to allow login with a browser.

/+login

A plain login form to allow access via browsers for use with devpi-web.

/+logout

Drops the authentication cookie.

For nginx the auth_request module is required and the configuration would something look like this:

server {
    ...

    # this redirects to the login view when not logged in
    error_page 401 = @error401;
    location @error401 {
        return 302 /+login;
    }

    # the location to check whether the provided infos authenticate the user
    location = /+authcheck {
        internal;

        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # lock down everything by default
    auth_request /+authcheck;

    # pass on /+login without authentication check to allow login
    location = /+login {
        auth_request off;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # pass on /+api without authentication check for URL endpoint discovery
    location ~ /\+api$ {
        auth_request off;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # pass on /+static without authentication check for browser access to css etc
    location /+static/ {
        auth_request off;
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }

    # use auth_request to lock down all the rest
    location / {
        proxy_set_header X-outside-url https://$host;
        proxy_pass http://localhost:3141;
    }
}

Changelog

1.0.1 - 2018-11-16

  • Fix import for Pyramid >= 1.10.0.
  • Add /+static to configuration
  • Lock down everything by default in the configuration and only allow the necessary locations

1.0.0 - 2017-03-10

  • initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
devpi_lockdown-1.0.1-py2.py3-none-any.whl (4.4 kB) Copy SHA256 hash SHA256 Wheel 2.7
devpi-lockdown-1.0.1.tar.gz (4.8 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page