Remove option to store cleartext passwords in config

This is bad practice, and we should not be enabling it.
internetstandards · Feb 20, 2024 · 169c911 · 169c911
1 parent c4a9dae
commit 169c911
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 35 deletions.
diff --git a/docker/defaults.env b/docker/defaults.env
@@ -61,15 +61,11 @@ HOSTERS_HOF_URL=
 # manual HoF pages to include
 MANUAL_HOF_PAGES=
 
-# comma separated user:password pairs for /grafana and /prometheus metrics endpoints
-MONITORING_AUTH=
-# comma separated user:password pairs for side wide authentication
-BASIC_AUTH=
-
-# comma separated of IP(v6) addresses/subnets that are allowed to access the website without a password when BASIC_AUTH is enabled
+# comma separated of IP(v6) addresses/subnets that are allowed to access the website without a password when BASIC_AUTH_RAW is enabled
 ALLOW_LIST=
 
-# comma separated user:htpasswd_encrypted pairs, same AUTH above, except password must already be encrypted
+# comma separated user:htpasswd_encrypted pairs for /grafana and /prometheus, and side wide
+# password must already be encrypted
 # please not that the value needs to be enclosed by single quotes to prevent interpolation of the dollar signs
 # eg: BASIC_AUTH_RAW='test1:$apr1$wGM8gxBe$DxGwifTGWZJ7nftK7LzFt/,user2:$apr1$BoZzsbb/$2NgfYCfF9lxmGrfSqsZKc/'
 MONITORING_AUTH_RAW=

diff --git a/docker/develop.env b/docker/develop.env
@@ -11,8 +11,8 @@ COMPOSE_PROJECT_NAME=internetnl-develop
 # enable for testing batch api
 ENABLE_BATCH=True
 
-# use easy user/passwords for authenticated endpoints
-MONITORING_AUTH=test:test
+# use easy test/test user/passwords for authenticated endpoints
+MONITORING_AUTH='test:$apr1$PfpYZVWM$tLUKMXt91KJV6I.CF3TOt1'
 
 LETSENCRYPT_STAGING=1
 LETSENCRYPT_EMAIL=[email protected]

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -26,8 +26,6 @@ services:
     environment:
       - INTERNETNL_DOMAINNAME
       - IPV6_TEST_ADDR
-      - MONITORING_AUTH
-      - BASIC_AUTH
       - MONITORING_AUTH_RAW
       - BASIC_AUTH_RAW
       - ALLOW_LIST

diff --git a/docker/test.env b/docker/test.env
@@ -53,9 +53,8 @@ TEST_TARGET_DOMAINNAME=target.test
 IPV6_IP_TEST_TARGET_PUBLIC=fd00:43:1::51
 IPV6_IP_TEST_TARGET_MAIL_PUBLIC=fd00:43:1::52
 
-# use easy user/passwords for authenticated endpoints
-MONITORING_AUTH=test:test
-MONITORING_AUTH_RAW='test_raw:$apr1$6YuDyduL$706z.FPTe5c09R767N3W90'
+# use easy test/test user/passwords for authenticated endpoints
+MONITORING_AUTH_RAW='test:$apr1$PfpYZVWM$tLUKMXt91KJV6I.CF3TOt1,test_raw:$apr1$6YuDyduL$706z.FPTe5c09R767N3W90'
 
 # use lower scheduler interval to speed up batch API tests
 BATCH_SCHEDULER_INTERVAL=3

diff --git a/docker/webserver/authentication.sh b/docker/webserver/authentication.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # enable basic auth when user/password is configured
-if [ ! "$BASIC_AUTH" = "" ] || [ ! "$BASIC_AUTH_RAW" = "" ];then
+if [ ! "$BASIC_AUTH_RAW" = "" ];then
   echo 'auth_basic "Please enter your username and password";auth_basic_user_file /etc/nginx/htpasswd/basic_auth.htpasswd;' > /etc/nginx/conf.d/basic_auth.conf
 fi
 
@@ -15,7 +15,7 @@ if [ ! "$ALLOW_LIST" = "" ];then
 fi
 
 # verify that when debug is enabled, authentication is also enabled
-if [ ! "$DEBUG" = "False" ] && [ "$BASIC_AUTH$BASIC_AUTH_RAW$ALLOW_LIST" = "" ];then
-  printf "\nMust have BASIC_AUTH, BASIC_AUTH_RAW or ALLOW_LIST authentication configured if DEBUG is not 'False'!\n"
+if [ ! "$DEBUG" = "False" ] && [ "$BASIC_AUTH_RAW$ALLOW_LIST" = "" ];then
+  printf "\nMust have BASIC_AUTH_RAW or ALLOW_LIST authentication configured if DEBUG is not 'False'!\n"
   exit 1
 fi
diff --git a/docker/webserver/generate_htpasswd.sh b/docker/webserver/generate_htpasswd.sh
@@ -1,7 +1,3 @@
-# generate htaccess files from environment variables. Add a user:password for every comma separated pair
-echo $MONITORING_AUTH|tr ',' '\n'|tr ':' ' '| xargs --max-args=2 --no-run-if-empty htpasswd -b /etc/nginx/htpasswd/monitoring.htpasswd
-echo $BASIC_AUTH|tr ',' '\n'|tr ':' ' '| xargs --max-args=2 --no-run-if-empty htpasswd -b /etc/nginx/htpasswd/basic_auth.htpasswd
-
 # append raw entries to htpasswd file
 echo $MONITORING_AUTH_RAW|tr ',' '\n' >> /etc/nginx/htpasswd/monitoring.htpasswd
 echo $BASIC_AUTH_RAW|tr ',' '\n' >> /etc/nginx/htpasswd/basic_auth.htpasswd
diff --git a/documentation/Docker-deployment-batch.md b/documentation/Docker-deployment-batch.md
@@ -103,18 +103,18 @@ Batch installations require the following settings:
 
 And optionally:
 
-- `MONITORING_AUTH`: May be a comma separated list of `user:password` pairs which are allowed to access the metrics at `https://example.com/grafana/`.
-- `BASIC_AUTH`, `BASIC_AUTH_RAW` and `ALLOW_LIST`: Can be set to restrict access to the single scan webpage. See [Restricting Access](Docker-deployment.md#restricting-access) for more information.
+- `MONITORING_AUTH_RAW`: May be a comma separated list of `user:password` pairs which are allowed to access the metrics at `https://example.com/grafana/`.
+- `BASIC_AUTH_RAW` and `ALLOW_LIST`: Can be set to restrict access to the single scan webpage. See [Restricting Access](Docker-deployment.md#restricting-access) for more information.
 
 For example:
 
     cat >> docker/local.env <<EOF
     ENABLE_BATCH=True
     ENABLE_HOF=False
     # user/password(s) for access to /grafana monitoring
-    MONITORING_AUTH=user:welkom01
+    MONITORING_AUTH_RAW=user:<htpasswd hash>
     # user/password(s) for access to web interface
-    BASIC_AUTH=user:welkom01
+    BASIC_AUTH_RAW=user:<htpasswd hash>
     # allowed IP's to visit web interface without password
     ALLOW_LIST=198.51.100.1,2001:db8:2::1
     EOF

diff --git a/documentation/Docker-deployment.md b/documentation/Docker-deployment.md
@@ -301,7 +301,7 @@ Besides the single scan webpage, the Internet.nl application also contains a Bat
 
 ## Metrics (grafana/prometheus)
 
-The default deployment includes a metrics collection system. It consists of a Prometheus metrics server with various exporters and a Grafana frontend. To view metrics and graphs visit: `https://example.com/grafana/`. Authentication is configured using the `MONITORING_AUTH` variable.
+The default deployment includes a metrics collection system. It consists of a Prometheus metrics server with various exporters and a Grafana frontend. To view metrics and graphs visit: `https://example.com/grafana/`. Authentication is configured using the `MONITORING_AUTH_RAW` variable.
 
 Also see: [Metrics](Docker-metrics.md)
 
@@ -353,17 +353,13 @@ By default the installation is open to everyone. If you like to restrict access
 
 ### HTTP Basic Authentication
 
-Site wide HTTP Basic Authentication is configured `BASIC_AUTH` and `BASIC_AUTH_RAW` variable. They should contain comma separated `user:password` or `user:encrypted_password` entries.
+Site wide HTTP Basic Authentication is configured `BASIC_AUTH_RAW` variable. This should contain comma separated `user:encrypted_password` entries.
 
-The allow only the user `example_user` with password `secret123` to access the site add the following in the `docker/local.env` file:
-
-    BASIC_AUTH=example_user:secret123
-
-Aditionally the password can already be provided as encrypted value. For this encrypt the password using the `htpasswd` tool and use the `BASIC_AUTH_RAW` variable. Make sure to enclose the value with single quotes:
+To allow only the user `example_user` with password `secret123` to access the site add the following in the `docker/local.env` file:
 
     BASIC_AUTH_RAW='example_user:$apr1$trHqgfkY$tIpKCOuSHLfYa20HVzyaX.'
 
-Both variables can be used at the same time, however, **do not list a user in both variables**.
+Make sure to enclose the value with single quotes.
 
 ### IP allow/deny lists
 
@@ -375,7 +371,7 @@ For example, to only allow the IP addresses `198.51.100.1` and `2001:db8:2::1` a
 
 ### Combining HTTP Basic Authentication and IP allow lists
 
-When setting boat `BASIC_AUTH(_RAW)` and `ALLOW_LIST`, users connecting from an IP in the allow list won't be prompted for a password.
+When setting both `BASIC_AUTH_RAW` and `ALLOW_LIST`, users connecting from an IP in the allow list won't be prompted for a password.
 
 ## Renewing DNSSEC after IP/hostname change
 

diff --git a/documentation/Docker-metrics.md b/documentation/Docker-metrics.md
@@ -2,7 +2,7 @@
 
 The Docker deployment includes a metrics collection system which is available on production as well as development/test environments. It consists of a Prometheus metrics server which scrapes metrics from various exporters. Grafana is provided as frontend to visualise metrics and create graphs/dashboards.
 
-To view metrics and graphs visit the `/grafana/` endpoint. Eg: `http://localhost:8080/grafana/` for development and `https://example.com/grafana/` for production. For development the user/password is set to `test/test`, for production users can be configured using the `MONITORING_AUTH` variable in `docker/local.env` (see `docker/defaults.env` for information).
+To view metrics and graphs visit the `/grafana/` endpoint. Eg: `http://localhost:8080/grafana/` for development and `https://example.com/grafana/` for production. For development the user/password is set to `test/test`, for production users can be configured using the `MONITORING_AUTH_RAW` variable in `docker/local.env` (see `docker/defaults.env` for information).
 
 Metrics collection is defined in the `docker/docker-compose-monitoring.yml` file.