Implement authentication via archweb

This implements authentication to our repos.archlinux.org tier 0 mirror via archweb.

Implement authentication via archweb
ce7c62ca · Jelle van der Waa · f00b9a9d · ce7c62ca · ce7c62ca · ce7c62ca
Verified Commit ce7c62ca authored 3 years ago by Jelle van der Waa
--- a/group_vars/all/vault_archweb.yml
+++ b/group_vars/all/vault_archweb.yml
 $ANSIBLE_VAULT;1.1;AES256
-63306162336566643630366662653265303939376338636235616239653937363131383434386333
-3734623331386639396165313166646164393166623931360a353338386437346366316132643337
-66643535396164623932656236633232316135623530613862393666333866663030336433336161
-3033306130646265370a316130353338393766623761653035633633623834653439336161616561
-32666462313961323664393735643434336162306363626335373235666334626337346130386561
-32386337316433393731656632646662346130356535396434376363356261663332376637323839
-36666232393564346337616566393336623566643334383835346230333938636135383039633861
-37616265396261313237363837346236616331383662636462336263356366383064333532656361
-34653735316365366637386561663939336363633763316564646263303136346232396639383437
-35663666303562626339343765613563346663326433323162396165653533626239316434356137
-32356430323766393061356234643133623439306437373164363339393866616338616462383338
-30376365326232386161336366353763323632303964336466353834643561366465353562353664
-38383466326533353630663962396662616438303939333434303430623836373164323136333761
-62613466356662316461373033643630333734313135613061346130303761636262633033323639
-66373737353865316665363737633037393163323166363261383466363530363366356566343166
-31396530396662323565393863663336333866313839636266363239636364376130343634613165
-39623039383435353639343664656337323330623231663036376131323934393236623531303437
-35323565623638643930393362613336303533353561643661613739343239653666666462643238
-66303566353465663933396361306135616331643436323565333362353434623530326534346364
-65656466623231323366646537383264303966376139616634646334663332383037636163323032
-33636265626565373761666538623866313566633833663136663466333237326462643431336438
-65316130303535653461643461306261303139386563323530346232366133656165306362613633
-666239353561336532623835653935663734
+34373565336261636435623037626134306239363436343463363062633131333864373165363031
+3037393931396437633135326630333366626537663061350a346136346130343132386434366333
+64356266373637616535656531306161393332653036633136393234336436303562636235383535
+6366303962643064620a653863646433333539336239656531626134323032643832356165396563
+30313261373931343066356132616363653663373339343364313563343332646565363561393562
+37633334613931373964323537633361663230343434386565316432393336363263343164353933
+35636235663466613562306432383333663066356632613039353962356337333737353439386537
+31313439326237366639323230343961393330623633333737353063613963373766363734343064
+32316661646437643663323134663762653636383563396562353533613566656662336566393536
+31636533343561393534663233663030393363663837363965663038343966353830633764386339
+30646163383731376130636462346235616633316161623135303264633332633063633362356638
+33306138633064613463386438386365643063616537616666393266336136636530353662636161
+66646631613031653339356236356233343936626439396539306462376566306230363933663235
+33356362316264383733313437326437636566323263383062343066393435616663306336613465
+62373965616134643830313562386437396437353036323038353439613833316233653962663265
+36663763393636376138663938643761346434396331336637313034323838393361636135316637
+63306630653264366639663031666135343564636564613639333432363431393737376464383263
+31343434383331363937323833376232353335626132353332373835303363646562393039636235
+30313239656135626539386437626630626162646262336638646435633639356461653935653234
+30376266383464623561633139303164376565373761323535616332313630323732396533363730
+38353561373937623961343464633465306566616266633038653231653534323533623562376335
+31623638643336663637356331656363333633663730316635326133376633303933346461373838
+39326537376338313161376537303738376139613631316332663739313266366434323465313335
+61323964396331626365363737373566336565333438303935623534626433363130316133626236
+64656535613435326464633561343065313865313437366365316162323534666430393234383163
+3663353632333065383764313531303631386335646363636363
--- a/roles/archweb/templates/local_settings.py.j2
+++ b/roles/archweb/templates/local_settings.py.j2
@@ -71,4 +71,7 @@ ALLOWED_HOSTS = [{% for host in archweb_allowed_hosts %}'{{ host }}', {% endfor

 PGP_SERVER = 'keyserver.ubuntu.com'

+TIER0_MIRROR_DOMAIN = 'repos.archlinux.org'
+TIER0_MIRROR_SECRET = '{{ vault_archweb_x_sent_from_secret }}'
+
 # vim: set ts=4 sw=4 et:
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
+proxy_cache_path  /var/lib/nginx/cache levels=1:2 keys_zone=auth_cache:5m inactive=60m;
+
 server {
    listen       80;
    listen       [::]:80;
@@ -22,9 +24,29 @@ server {
    }

    location / {
-        auth_basic            "Restricted";
-        auth_basic_user_file  auth/dbscripts.htpasswd;
+        auth_request /devel/mirrorauth/;

        autoindex  on;
    }
+
+    location = /devel/mirrorauth/ {
+        internal;
+
+        # Do not pass the request body, only http authorisation header is required
+        proxy_pass_request_body off;
+        proxy_set_header        Content-Length "";
+
+        # Proxy headers
+        proxy_set_header        Host                    "archlinux.org";
+        proxy_set_header        X-Sent-From             "{{ vault_archweb_x_sent_from_secret }}";
+
+        # Cache responses from the auth proxy
+        proxy_cache             auth_cache;
+        proxy_cache_key         "$scheme$proxy_host$request_uri$http_authorization";
+
+        # Authentication to archweb
+        proxy_pass https://archlinux.org;
+	proxy_ssl_verify on;
+	proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+    }
 }