devpi-lockdown: tools to enable authentication for read access
Project description
devpi-lockdown: tools to enable authentication for read access
This plugin adds some views to allow locking down read access to devpi.
Only tested with nginx so far.
Installation
devpi-lockdown needs to be installed alongside devpi-server.
You can install it with:
pip install devpi-lockdown
Usage
To lock down read access to devpi, you need a proxy in front of devpi which can use the provided views to limit access.
The views are:
/+authcheck
This returns 200 when the user is authenticated or 401 if not. It uses the regular devpi credential checks and an additional credential check using a cookie provided by devpi-lockdown to allow login with a browser.
/+login
A plain login form to allow access via browsers for use with devpi-web.
/+logout
Drops the authentication cookie.
For nginx the auth_request module is required and the configuration would something look like this:
server {
...
# this redirects to the login view when not logged in
error_page 401 = @error401;
location @error401 {
return 302 /+login;
}
# the location to check whether the provided infos authenticate the user
location = /+authcheck {
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-outside-url https://$host;
proxy_pass http://localhost:3141;
}
# lock down everything by default
auth_request /+authcheck;
# pass on /+login without authentication check to allow login
location = /+login {
auth_request off;
proxy_set_header X-outside-url https://$host;
proxy_pass http://localhost:3141;
}
# pass on /+api without authentication check for URL endpoint discovery
location ~ /\+api$ {
auth_request off;
proxy_set_header X-outside-url https://$host;
proxy_pass http://localhost:3141;
}
# pass on /+static without authentication check for browser access to css etc
location /+static/ {
auth_request off;
proxy_set_header X-outside-url https://$host;
proxy_pass http://localhost:3141;
}
# use auth_request to lock down all the rest
location / {
proxy_set_header X-outside-url https://$host;
proxy_pass http://localhost:3141;
}
}Changelog
1.0.1 - 2018-11-16
Fix import for Pyramid >= 1.10.0.
Add /+static to configuration
Lock down everything by default in the configuration and only allow the necessary locations
1.0.0 - 2017-03-10
initial release
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file devpi-lockdown-1.0.1.tar.gz.
File metadata
- Download URL: devpi-lockdown-1.0.1.tar.gz
- Upload date:
- Size: 4.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: devpi-server/4.7.1 (py2.7.15; darwin)
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5bd44e60c97be48d59193212d65e4cb30d777cea9de23891b4285ed1ecc592fe |
|
| MD5 | a5d0c528f3ea8f59b5483bc47855f2e3 |
|
| BLAKE2b-256 | b796e03c9f36bc0d7638dbda3f4b81180c1b36f0ff7e44e4ffad5547bf3b8b0f |
File details
Details for the file devpi_lockdown-1.0.1-py2.py3-none-any.whl.
File metadata
- Download URL: devpi_lockdown-1.0.1-py2.py3-none-any.whl
- Upload date:
- Size: 4.4 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: devpi-server/4.7.1 (py2.7.15; darwin)
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | daab2af8511a530aad9ca25682b293b9db2144f20a0b51f886b8730c472115da |
|
| MD5 | 0f3f6d38da2aed2b68b4a270a7479a22 |
|
| BLAKE2b-256 | 2a7a2e1ec306dc64cfb957575da8c1753e6c8c55bce732b1e970d348daed7982 |
