Apply batch auth to /

mxsasha · mxsasha · commit 98ec904c57c6 · 2024-03-07T16:52:57.000+01:00
diff --git a/docker/webserver/authentication.sh b/docker/webserver/authentication.sh
@@ -23,3 +23,14 @@ if [ ! "$DEBUG" = "False" ] && [ "$BASIC_AUTH_RAW$ALLOW_LIST" = "" ];then
   printf "\nMust have BASIC_AUTH_RAW or ALLOW_LIST authentication configured if DEBUG is not 'False'!\n"
   exit 1
 fi
+
+if [ "$ENABLE_BATCH" = True ]; then
+    cat > /etc/nginx/conf.d/batch_auth.include << END
+      auth_basic "Please enter your batch username and password";
+      auth_basic_user_file /etc/nginx/htpasswd/external/batch_api.htpasswd;
+      # pass logged in user to Django
+      proxy_set_header REMOTE-USER \$remote_user;
+END
+else
+    echo > /etc/nginx/conf.d/batch_auth.include
+fi
diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/app.conf.template
@@ -197,6 +197,22 @@ server {
       # make sure to cache separate for languages
       proxy_cache_key $scheme$host$uri$is_args$args$http_accept_language;
 
+      include /etc/nginx/conf.d/batch_auth.include;
+
+      proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
+    }
+
+    # openapi.yaml should never have auth, otherwise same as /
+    location /api/batch/openapi.yaml {
+      auth_basic off;
+      allow all;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_cache            ${NGINX_PROXY_CACHE};
+      proxy_cache_valid      200  1m;
+      proxy_cache_use_stale  updating error timeout invalid_header http_500 http_502 http_503 http_504;
+      expires 1m;
+      proxy_cache_key $scheme$host$uri$is_args$args$http_accept_language;
       proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
     }
 
@@ -255,20 +271,6 @@ server {
       return 301 http://${subdomain}conn.${INTERNETNL_DOMAINNAME}/connection/;
     }
 
-    # batch API, requires authentication and passes basic auth user to Django App via headers
-    location /api/batch/v2 {
-      auth_basic "Please enter your batch username and password";
-      auth_basic_user_file /etc/nginx/htpasswd/external/batch_api.htpasswd;
-
-      # pass logged in user to Django
-      proxy_set_header REMOTE-USER $remote_user;
-
-      # pass host for Django's allowed_hosts
-      proxy_set_header Host $host;
-
-      proxy_pass http://${IPV4_IP_APP_INTERNAL}:8080;
-    }
-
     # monitoring, requires authentication
     location /grafana {
       auth_basic "Please enter your username and password";
