Security: protect app with HTTP Basic Auth

.env.example

@@ -1,10 +1,14 @@
 # Mets 7000 si le port est libre, sinon garde 7001
 APP_PORT=7001
 
-# API backend (etape 1 migration)
+# API backend
 API_PORT=7002
 
 # Base dediee a l'application video games
 VG_DB_NAME=video_games
 VG_DB_USER=video_games_user
 VG_DB_PASSWORD=change_me
+
+# Auth de l'interface web
+APP_BASIC_AUTH_USER=beuz
+APP_BASIC_AUTH_PASSWORD=change_me_now

Dockerfile

@@ -2,9 +2,14 @@ FROM nginx:1.27-alpine
 
 WORKDIR /usr/share/nginx/html
 
+RUN apk add --no-cache apache2-utils
+
 COPY nginx/default.conf /etc/nginx/conf.d/default.conf
+COPY nginx/entrypoint.sh /entrypoint.sh
 COPY index.html ./index.html
 COPY styles.css ./styles.css
 COPY app.js ./app.js
 
 EXPOSE 80
+
+CMD ["/entrypoint.sh"]

docker-compose.yml

@@ -37,6 +37,9 @@ services:
     restart: unless-stopped
     depends_on:
       - video-games-api
+    environment:
+      - APP_BASIC_AUTH_USER=${APP_BASIC_AUTH_USER:-beuz}
+      - APP_BASIC_AUTH_PASSWORD=${APP_BASIC_AUTH_PASSWORD:-change_me_now}
     ports:
       - "${APP_PORT:-7001}:80"
 

nginx/default.conf

@@ -4,6 +4,8 @@ server {
 
   root /usr/share/nginx/html;
   index index.html;
+  auth_basic "Acces protege";
+  auth_basic_user_file /etc/nginx/.htpasswd;
 
   location /api/ {
     proxy_pass http://video-games-api:3001/api/;
@@ -15,6 +17,7 @@ server {
   }
 
   location = /health {
+    auth_basic off;
     proxy_pass http://video-games-api:3001/health;
     proxy_http_version 1.1;
   }

nginx/entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+BASIC_USER="${APP_BASIC_AUTH_USER:-admin}"
+BASIC_PASS="${APP_BASIC_AUTH_PASSWORD:-change_me_now}"
+
+htpasswd -bc /etc/nginx/.htpasswd "$BASIC_USER" "$BASIC_PASS" >/dev/null
+
+exec nginx -g 'daemon off;'