Add basic auth to all newly created sites by default

ivangretsky · November 9, 2023, 12:56pm

I am using the wonderful hestia control panel for the development purposes. So I not to forget to change robots.txt each time I create a copy of a site. I would like to automate this somehow. More to that, I do not want accidentally commit those temporary changes in git.

Putting all the sites under a basic auth protection would work. But doing it manually is the same thing as robots.txt. Is there a way to automatically protect all the newly created sites (for all users or for a user) with apache basic auth (with default login/password)?

Thanks!

ivangretsky · December 15, 2023, 9:51am

Are there any insights you can share? Or is it just not possible?

eris · December 15, 2023, 10:17am

The only method that will work:

Create a new template for Nginx or Apache2
Create a file name with the the same template-name.sh in the same folder as the nginx or apache2 template

#!/bin/bash

user="$1"
domain="$2"
ip="$3"
home="$4"
docroot="$5"

# Command that you need to run...

sahsanu · December 15, 2023, 10:47am

Following @eris advice, here an example:

For Apache, create a default.sh script in /usr/local/hestia/data/templates/web/apache2/php-fpm/ dir with the following content:

#!/usr/bin/env bash
user="$1"
domain="$2"
home="$4"
docroot="$5"

passwd='ChangeMe'
hash="$(openssl passwd -5 "$passwd")"
fhtpasswd="${home}/${user}/conf/web/${domain}/${domain}.htpasswd"
chtpasswd="${user}:${hash}"

fhtaccess="${docroot}/.htaccess"
chtaccess="AuthUserFile $fhtpasswd
AuthName \"Auth required\"
AuthType Basic
Require valid-user"

echo "$chtaccess" >"$fhtaccess"
echo "$chtpasswd" >"$fhtpasswd"

Give exe perms to the script:

chmod +x /usr/local/hestia/data/templates/web/apache2/php-fpm/default.sh

Now, evey time you create a new web site using Apache’s default template, it will add auth to the web site using your user as default user and ChangeMe as password (remember to replace ChangeMe inside the script).

ivangretsky · December 15, 2023, 11:37am

Cool, @sahsanu and @eris ! Thank you very much!

But, as I understand, that creates .htaccess file in doc root. I usually already have that kind of file in the projects I am working with. I was hoping to set basic auth through apache config, not with a file in a docroot (which would get into git changes). Can I automatically have it in VirtialHost or somewhere like that? Or maybe close the whole server altogether?

sahsanu · December 15, 2023, 11:46am

As I said, that was an example, if you have other needs you should do it in another way. In your case you should clone default templates (tpl and stpl) with another name (so it won’t get overrided in future upgrades) and do the modifications in those templates.

sahsanu · December 15, 2023, 11:59am

Example using auth as Apache’s template name:

auth.tpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %docroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log

    IncludeOptional %home%/%user%/conf/web/%domain%/apache2.forcessl.conf*

    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %docroot%>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
        AuthUserFile %home%/%user%/conf/web/%domain%/%domain%.htpasswd
        AuthName "Auth required"
        AuthType Basic
        Require valid-user
    </Directory>

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

auth.stpl

#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://hestiacp.com/docs/server-administration/web-templates.html      #
#=========================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        AuthUserFile %home%/%user%/conf/web/%domain%/%domain%.htpasswd
        AuthName "Auth required"
        AuthType Basic
        Require valid-user
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile %ssl_crt%
    SSLCertificateKeyFile %ssl_key%
    %ssl_ca_str%SSLCertificateChainFile %ssl_ca%

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>

auth.sh

#!/usr/bin/env bash
user="$1"
domain="$2"
home="$4"
docroot="$5"

passwd='ChangeMe'
hash="$(openssl passwd -5 "$passwd")"
fhtpasswd="${home}/${user}/conf/web/${domain}/${domain}.htpasswd"
chtpasswd="${user}:${hash}"

echo "$chtpasswd" >"$fhtpasswd"

ivangretsky · June 7, 2024, 11:46am

Thanks for the wise answers! I’ve ended up putting my Hestia behind Nginx Proxy Manger. I’ve configured basic auth for all my dev sites (which are all subdomains of the same domain) there.

system · July 7, 2024, 11:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.