密码保护AWS Node EB应用程序

时间:2022-08-25 08:31:52

I've got a Node Elastic Beanstalk app up and running (though ELB). Right now it is just the AWS sample Node application on the server. Since this is a development server, before I can push my actual code up to the server I need to password protect the entire thing (this is to be used for client review, etc).

我已经启动并运行了Node Elastic Beanstalk应用程序(虽然是ELB)。现在它只是服务器上的AWS示例节点应用程序。由于这是一个开发服务器,在我将实际代码推送到服务器之前,我需要密码保护整个事物(这用于客户端审查等)。

I am having a ton of trouble trying to figure out how to do this. It seems that the application code is dropped in /var/app/ and there's nothing in /var/www/html/ (no hidden files) where I would normally setup an htaccess file. It's using nginx proxy, which I have never used, and I'm not exactly sure how the files are being served.

我在试图弄清楚如何做到这一点时遇到了很多麻烦。似乎应用程序代码被删除在/ var / app /中并且/ var / www / html /(没有隐藏文件)中没有任何内容我通常会设置htaccess文件。它使用的是我从未使用过的nginx代理,而且我不确定文件是如何提供的。

What's the best way to lock this server down? Security groups? htaccess? Something else?

锁定此服务器的最佳方法是什么?安全组? htaccess的?别的什么?

3 个解决方案

#1

2  

Security groups will only block based on source IP, and htaccess is not supported by nginx. Instead they support configuration like this:

安全组将仅基于源IP进行阻止,并且nginx不支持htaccess。相反,他们支持这样的配置:

server {
    ...
    auth_basic "closed website";
    auth_basic_user_file conf/htpasswd;
}

But to achieve this you'll need to use elastic beanstalk's .ebextensions to modify the default nginx configuration. It's not easy at all.

但要实现这一点,您需要使用弹性beanstalk的.ebextensions来修改默认的nginx配置。这根本不容易。

The fastest way for you is probably to support HTTP auth within your node app itself. There are many guides to this, but here is one: http://www.sitepoint.com/http-authentication-in-node-js/

最快的方法可能是在节点应用程序本身内支持HTTP身份验证。有很多指南,但这里有一个:http://www.sitepoint.com/http-authentication-in-node-js/

#2

16  

In your Node.js Beanstalk application your instances will have their /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf set up like this:

在Node.js Beanstalk应用程序中,您的实例将其/etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf设置如下:

server {
    listen 8080;

    location / {
        proxy_pass  http://nodejs;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    gzip on;
}

What you want is for it to be set up like this:

你想要的是它的设置如下:

server {
    listen 8080;

    location / {
        proxy_pass  http://nodejs;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
    gzip on;
}

With a separate password file at /etc/nginx/.htpasswd that containts your login credentials.

使用/etc/nginx/.htpasswd中的单独密码文件,其中包含您的登录凭据。

STEP 1: Go to your local linux environment and enter

第1步:转到本地linux环境并输入

sudo htpasswd -c .htpasswd someusernameofyourchoice

navigate into that .htpasswd file and pull out the username and password line that you generated. It will look something like this:

导航到.htpasswd文件并提取您生成的用户名和密码行。它看起来像这样:

someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 2:

Now in your root directory of your node application (where your .git/ directory is located) create a hidden directory called .ebextensions/

现在位于节点应用程序的根目录(.git /目录所在的目录)中,创建一个名为.ebextensions /的隐藏目录。

navigate into that .ebextensions/ directory as you will need to make 2 files.

导航到.ebextensions /目录,因为您需要制作2个文件。

STEP 3:

The first file will be the config file that will generate your .htpasswd file on your beanstalk application. Place the username and password hash that you generated earlier into this file and name it as follows:

第一个文件是将在beanstalk应用程序上生成.htpasswd文件的配置文件。将之前生成的用户名和密码哈希放入此文件中,并按如下方式命名:

00_nginx_htpasswd.config

files:
  "/etc/nginx/.htpasswd" :
    mode: "000755"
    owner: root
    group: root
    content: |
      someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 4:

The second file you will create in your .ebextensions/ directory will update the 00_elastic_beanstalk_proxy.conf file on your elastic beanstalk environment. Name is as follows:

您将在.ebextensions /目录中创建的第二个文件将更新弹性beanstalk环境中的00_elastic_beanstalk_proxy.conf文件。名称如下:

01_nginx_auth.config

files:
  /tmp/deployment/nginx_auth.sh:
    mode: "000755"
    content: |
        sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n     auth_basic "Restricted";\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf
container_commands:
  nginx_auth:
    command: "/tmp/deployment/nginx_auth.sh"

NOTE: If you only want the password protection to be on a certain environment such as your development environment. You can pass an environment variable into your environment (in the configurations > Software Configurations panel on you beanstalk dashboard) and then you can add a conditional to this file's command that checks that environment variable before it runs. This way you can password protect your development environment while leaving your production environment free for the public to access. As you are putting everything into git to push it to your beanstalk environment, this is very handy. The following is the modified file with those additions:

注意:如果您只希望密码保护在特定环境中,例如您的开发环境。您可以将环境变量传递到您的环境中(在beanstalk仪表板上的配置>软件配置面板中),然后您可以向此文件的命令添加条件,该命令在运行之前检查该环境变量。这样,您可以使用密码保护您的开发环境,同时让您的生产环境免费供公众访问。当您将所有内容都放入git以将其推送到beanstalk环境时,这非常方便。以下是带有这些新增内容的修改文件:

01_nginx_auth.config

files:
  /tmp/deployment/nginx_auth.sh:
    mode: "000755"
    content: |
      if [ "$NODE_ENV" == "development" ]; then
        sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n     auth_basic "Restricted";\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf
      fi
container_commands:
  nginx_auth:
    command: "/tmp/deployment/nginx_auth.sh"

STEP 5:

Once you have both of these files created in your .ebextensions/ directory, commit them and push them to your elastic beanstalk. You should now be prompted for that username and password combination you generated in step 1.

一旦在.ebextensions /目录中创建了这两个文件,就提交它们并将它们推送到弹性beanstalk。现在应该提示您输入在步骤1中生成的用户名和密码组合。

#3

0  

If you are using Express.js you can add a lightweight middleware using the basic-auth package. In my case, all I needed was one username and password to lock down the site from the public. This was the easiest solution for that scenario when using a Node.js server on Elastic Beanstalk.

如果您使用的是Express.js,则可以使用basic-auth软件包添加轻量级中间件。就我而言,我需要的只是一个用户名和密码来锁定公众的网站。在Elastic Beanstalk上使用Node.js服务器时,这是该方案最简单的解决方案。

var auth = require('basic-auth');

app.use(function(req, res, next) {
  var credentials = auth(req);

  if (!credentials || credentials.name !== 'buster' || credentials.pass !== 'getinfree') {
    res.statusCode = 401;
    res.setHeader('WWW-Authenticate', 'Basic realm="example"');
    res.end('Access denied.');
  } else {
    next();
  }
});

Note this solution requires adding the code within your Node app, not directly interfering with nginx.

请注意,此解决方案需要在您的Node应用程序中添加代码,而不是直接干扰nginx。

#1

2  

Security groups will only block based on source IP, and htaccess is not supported by nginx. Instead they support configuration like this:

安全组将仅基于源IP进行阻止,并且nginx不支持htaccess。相反,他们支持这样的配置:

server {
    ...
    auth_basic "closed website";
    auth_basic_user_file conf/htpasswd;
}

But to achieve this you'll need to use elastic beanstalk's .ebextensions to modify the default nginx configuration. It's not easy at all.

但要实现这一点,您需要使用弹性beanstalk的.ebextensions来修改默认的nginx配置。这根本不容易。

The fastest way for you is probably to support HTTP auth within your node app itself. There are many guides to this, but here is one: http://www.sitepoint.com/http-authentication-in-node-js/

最快的方法可能是在节点应用程序本身内支持HTTP身份验证。有很多指南,但这里有一个:http://www.sitepoint.com/http-authentication-in-node-js/

#2

16  

In your Node.js Beanstalk application your instances will have their /etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf set up like this:

在Node.js Beanstalk应用程序中,您的实例将其/etc/nginx/conf.d/00_elastic_beanstalk_proxy.conf设置如下:

server {
    listen 8080;

    location / {
        proxy_pass  http://nodejs;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    gzip on;
}

What you want is for it to be set up like this:

你想要的是它的设置如下:

server {
    listen 8080;

    location / {
        proxy_pass  http://nodejs;
        proxy_set_header   Connection "";
        proxy_http_version 1.1;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
    gzip on;
}

With a separate password file at /etc/nginx/.htpasswd that containts your login credentials.

使用/etc/nginx/.htpasswd中的单独密码文件,其中包含您的登录凭据。

STEP 1: Go to your local linux environment and enter

第1步:转到本地linux环境并输入

sudo htpasswd -c .htpasswd someusernameofyourchoice

navigate into that .htpasswd file and pull out the username and password line that you generated. It will look something like this:

导航到.htpasswd文件并提取您生成的用户名和密码行。它看起来像这样:

someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 2:

Now in your root directory of your node application (where your .git/ directory is located) create a hidden directory called .ebextensions/

现在位于节点应用程序的根目录(.git /目录所在的目录)中,创建一个名为.ebextensions /的隐藏目录。

navigate into that .ebextensions/ directory as you will need to make 2 files.

导航到.ebextensions /目录,因为您需要制作2个文件。

STEP 3:

The first file will be the config file that will generate your .htpasswd file on your beanstalk application. Place the username and password hash that you generated earlier into this file and name it as follows:

第一个文件是将在beanstalk应用程序上生成.htpasswd文件的配置文件。将之前生成的用户名和密码哈希放入此文件中,并按如下方式命名:

00_nginx_htpasswd.config

files:
  "/etc/nginx/.htpasswd" :
    mode: "000755"
    owner: root
    group: root
    content: |
      someusernameofyourchoice:$apr1$.1EAU7DD$rt9jdihy1U.cFuBzJTMed.

STEP 4:

The second file you will create in your .ebextensions/ directory will update the 00_elastic_beanstalk_proxy.conf file on your elastic beanstalk environment. Name is as follows:

您将在.ebextensions /目录中创建的第二个文件将更新弹性beanstalk环境中的00_elastic_beanstalk_proxy.conf文件。名称如下:

01_nginx_auth.config

files:
  /tmp/deployment/nginx_auth.sh:
    mode: "000755"
    content: |
        sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n     auth_basic "Restricted";\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf
container_commands:
  nginx_auth:
    command: "/tmp/deployment/nginx_auth.sh"

NOTE: If you only want the password protection to be on a certain environment such as your development environment. You can pass an environment variable into your environment (in the configurations > Software Configurations panel on you beanstalk dashboard) and then you can add a conditional to this file's command that checks that environment variable before it runs. This way you can password protect your development environment while leaving your production environment free for the public to access. As you are putting everything into git to push it to your beanstalk environment, this is very handy. The following is the modified file with those additions:

注意:如果您只希望密码保护在特定环境中,例如您的开发环境。您可以将环境变量传递到您的环境中(在beanstalk仪表板上的配置>软件配置面板中),然后您可以向此文件的命令添加条件,该命令在运行之前检查该环境变量。这样,您可以使用密码保护您的开发环境,同时让您的生产环境免费供公众访问。当您将所有内容都放入git以将其推送到beanstalk环境时,这非常方便。以下是带有这些新增内容的修改文件:

01_nginx_auth.config

files:
  /tmp/deployment/nginx_auth.sh:
    mode: "000755"
    content: |
      if [ "$NODE_ENV" == "development" ]; then
        sed -i 's/$proxy_add_x_forwarded_for;/$proxy_add_x_forwarded_for;\n     auth_basic "Restricted";\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;\n/' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf
      fi
container_commands:
  nginx_auth:
    command: "/tmp/deployment/nginx_auth.sh"

STEP 5:

Once you have both of these files created in your .ebextensions/ directory, commit them and push them to your elastic beanstalk. You should now be prompted for that username and password combination you generated in step 1.

一旦在.ebextensions /目录中创建了这两个文件,就提交它们并将它们推送到弹性beanstalk。现在应该提示您输入在步骤1中生成的用户名和密码组合。

#3

0  

If you are using Express.js you can add a lightweight middleware using the basic-auth package. In my case, all I needed was one username and password to lock down the site from the public. This was the easiest solution for that scenario when using a Node.js server on Elastic Beanstalk.

如果您使用的是Express.js,则可以使用basic-auth软件包添加轻量级中间件。就我而言,我需要的只是一个用户名和密码来锁定公众的网站。在Elastic Beanstalk上使用Node.js服务器时,这是该方案最简单的解决方案。

var auth = require('basic-auth');

app.use(function(req, res, next) {
  var credentials = auth(req);

  if (!credentials || credentials.name !== 'buster' || credentials.pass !== 'getinfree') {
    res.statusCode = 401;
    res.setHeader('WWW-Authenticate', 'Basic realm="example"');
    res.end('Access denied.');
  } else {
    next();
  }
});

Note this solution requires adding the code within your Node app, not directly interfering with nginx.

请注意,此解决方案需要在您的Node应用程序中添加代码,而不是直接干扰nginx。

标签:

相关文章