2 Commits 0b8414a341 ... 3c98cd09ac

Author SHA1 Message Date
  Emmanuel Bouthenot 3c98cd09ac Support IP whitelists with php{syscheck,myadmin,pgadmin}_http_auth 3 years ago
  Emmanuel Bouthenot aeec4c27d4 Rename options: http_auth_syscheck -> phpsyscheck_http_auth and http_auth_phpmyadmin -> phpmyadmin_http_auth, http_auth_phppgadmin -> phppgadmin_http_auth 3 years ago

+ 6 - 3
roles/webserver/defaults/main.yml

@@ -39,7 +39,8 @@ phpsyscheck_vhostname: 'sys.localhost'
 phpsyscheck_vhostip: Null
 phpsyscheck_vhostport: Null
 phpsyscheck_ssl: False
-http_auth_syscheck: False
+phpsyscheck_http_auth: False
+phpsyscheck_http_whitelist_ip: []
 
 php_config:
   date.timezone: 'Europe/Paris'
@@ -61,13 +62,15 @@ phpmyadmin_vhostname: 'pma.localhost'
 phpmyadmin_vhostip: Null
 phpmyadmin_vhostport: Null
 phpmyadmin_ssl: False
-http_auth_phpmyadmin: False
+phpmyadmin_http_auth: False
+phpmyadmin_http_whitelist_ip: []
 
 with_phppgadmin: False
 phppgadmin_vhostname: 'pga.localhost'
 phppgadmin_vhostip: Null
 phppgadmin_vhostport: 80
-http_auth_phppgadmin: False
+phppgadmin_http_auth: False
+phppgadmin_http_whitelist_ip: []
 
 http_auth_admin_password: Null
 http_auth_user_name: Null

+ 7 - 2
roles/webserver/templates/apache2/pga_vhost.j2

@@ -10,12 +10,17 @@
     DocumentRoot /usr/share/phppgadmin
     DirectoryIndex index.php
 
-{% if http_auth_phppgadmin %}
+{% if phppgadmin_http_auth %}
     <Location />
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phppgadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phppgadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 

+ 14 - 4
roles/webserver/templates/apache2/pma_vhost.j2

@@ -15,12 +15,17 @@
     DocumentRoot /usr/share/phpmyadmin
     DirectoryIndex index.php
 
-{% if http_auth_phpmyadmin %}
+{% if phpmyadmin_http_auth %}
     <Location />
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpmyadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
@@ -65,12 +70,17 @@
     DocumentRoot /usr/share/phpmyadmin
     DirectoryIndex index.php
 
-{% if http_auth_phpmyadmin %}
+{% if phpmyadmin_http_auth %}
     <Location />
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpmyadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 

+ 16 - 8
roles/webserver/templates/apache2/sys_vhost.j2

@@ -15,20 +15,24 @@
     DocumentRoot /etc/phpsyscheck
     DirectoryIndex index.php
 
-{% if http_auth_syscheck %}
+{% if phpsyscheck_http_auth %}
     <Location />
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpsyscheck_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
     <Directory /etc/phpsyscheck>
         Options None
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
 {% if with_fpm|bool %}
@@ -54,20 +58,24 @@
     DocumentRoot /etc/phpsyscheck
     DirectoryIndex index.php
 
-{% if http_auth_syscheck %}
+{% if phpsyscheck_http_auth %}
     <Location />
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpsyscheck_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
     <Directory /etc/phpsyscheck>
         Options None
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
     <IfModule php7_module>

+ 8 - 1
roles/webserver/templates/nginx/pga_vhost.j2

@@ -16,9 +16,16 @@ server {
     index index.php;
     try_files $uri $uri/ /index.php;
 
-{% if http_auth_phppgadmin %}
+{% if phppgadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phppgadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phppgadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;

+ 16 - 2
roles/webserver/templates/nginx/pma_vhost.j2

@@ -27,9 +27,16 @@ server {
     index index.php;
     try_files $uri $uri/ /index.php;
 
-{% if http_auth_phpmyadmin %}
+{% if phpmyadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phpmyadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;
@@ -61,9 +68,16 @@ server {
     index index.php;
     try_files $uri $uri/ /index.php;
 
-{% if http_auth_phpmyadmin %}
+{% if phpmyadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phpmyadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;

+ 16 - 2
roles/webserver/templates/nginx/sys_vhost.j2

@@ -27,9 +27,16 @@ server {
     index index.php;
     try_files $uri $uri/ /index.php;
 
-{% if http_auth_syscheck %}
+{% if phpsyscheck_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+{% for ip in phpsyscheck_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     location ~ \.php(/|$) {
@@ -53,9 +60,16 @@ server {
     index index.php;
     try_files $uri $uri/ /index.php;
 
-{% if http_auth_syscheck %}
+{% if phpsyscheck_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+{% for ip in phpsyscheck_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     location ~ \.php(/|$) {