feat(auth): optional HTTP Basic Auth for the whole site

nginx includes auth_enabled.conf, (re)written at container start from
BASIC_AUTH_USER/PASSWORD (htpasswd via apache2-utils). Both set => the site +
/api require a shared login; unset => open (local dev not locked out). Set both
on the Coolify web service to protect the deployment.
This commit is contained in:
Julien Calixte
2026-06-26 16:32:42 +01:00
parent 2b4d056ab8
commit 7b871f4cbf
5 changed files with 45 additions and 10 deletions

View File

@@ -0,0 +1,16 @@
#!/bin/sh
# Toggle HTTP Basic Auth for the whole site from env at container start.
# Runs via nginx:alpine's /docker-entrypoint.d/ hook, before nginx starts.
set -e
if [ -n "$BASIC_AUTH_USER" ] && [ -n "$BASIC_AUTH_PASSWORD" ]; then
htpasswd -bc /etc/nginx/.htpasswd "$BASIC_AUTH_USER" "$BASIC_AUTH_PASSWORD" >/dev/null 2>&1
cat > /etc/nginx/auth_enabled.conf <<EOF
auth_basic "photofetch";
auth_basic_user_file /etc/nginx/.htpasswd;
EOF
echo "[entrypoint] basic auth ENABLED (user: $BASIC_AUTH_USER)"
else
: > /etc/nginx/auth_enabled.conf
echo "[entrypoint] basic auth disabled (set BASIC_AUTH_USER + BASIC_AUTH_PASSWORD to enable)"
fi