Evolinx/evorepo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
testing
evorepo/docs/mirror_access.md
Robin Candau 3a8275d0a0 Rename TU to Package Maintainer 
In the continuity of the effort started to apply the 'TU --> Package Maintainer' rename to every Arch ressources, here's a PR for archweb :)

Related MRs/Tickets:
- https://gitlab.archlinux.org/archlinux/package-maintainer-bylaws/-/merge_requests/6
- https://gitlab.archlinux.org/archlinux/aurweb/-/merge_requests/755
- https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/533

This PR also updates the few obselete mentions to the [community] repository in the various descriptions
2023-10-23 19:31:11 +02:00

2.3 KiB
Raw Permalink Blame History

Mirror Access

Archweb can be used as external authentication provider in combination with ngx_http_auth_request_module. A user with a Developer, Package Maintainer and Support Staff role can generate an access token used in combination with his username on the /devel/tier0mirror url. The mirror authentication is done against /devel/mirrorauth using HTTP Basic authentication.

Configuration

There are two configuration options for this feature of which one is optional:

  • TIER0_MIRROR_DOMAIN - the mirror domain used to display the mirror url with authentication.
  • TIER0_MIRROR_SECRET - an optional secret send by nginx in the X-Sent-From header, all requests without this secret value are ignored. This can be used to not allow anyone to bruteforce guess the http basic auth pass/token.

nginx configuration

Example configuration with optional caching of the authentication request to reduce hammering archweb when for example using this feature for a mirror. By default archweb caches /devel/mirrorauth for 5 minutes.

http {
    proxy_cache_path  /var/lib/nginx/cache/auth_cache levels=1:2 keys_zone=auth_cache:5m;

    server {
        location /protected {
                auth_request /devel/mirrorauth;

                root   /usr/share/nginx/html;
                index  index.html index.htm;
        }

        location = /devel/mirrorauth {
            internal;

            # Do not pass the request body, only http authorisation header is required
            proxy_pass_request_body off;
            proxy_set_header        Content-Length "";

            # Proxy headers
            proxy_set_header        Host                    $host;
            proxy_set_header        X-Original-URL          $scheme://$http_host$request_uri;
            proxy_set_header        X-Original-Method       $request_method;
            proxy_set_header        X-Auth-Request-Redirect $request_uri;
            proxy_set_header        X-Sent-From             "arch-nginx";

            # Cache responses from the auth proxy
            proxy_cache             auth_cache;
            proxy_cache_key         "$scheme$proxy_host$request_uri$http_authorization";

            # Authentication to archweb
            proxy_pass https://archlinux.org;
        }
    }
}