From 17512d111e81299bd5ff1f956d33f300f356ad8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= Date: Thu, 6 Nov 2025 18:05:01 +0100 Subject: [PATCH] feat: vert auth --- CLAUDE.md | 15 ++++++++++----- proxy/compose.yaml | 2 +- scrapy/compose.yaml | 4 ++-- vert/compose.yaml | 2 +- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 3e0bd5b..ca64866 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -265,7 +265,7 @@ VERT universal file format converter: - **PUB_ENV**: `production` (environment mode) - **PUB_DISABLE_ALL_EXTERNAL_REQUESTS**: `true` (privacy mode) - **VERT_SABLIER_ENABLED**: `true` (enable scale-to-zero) -- **VERT_AUTH_USERS**: HTTP Basic Auth credentials (htpasswd format in `.env`) +- **AUTH_USERS**: Shared HTTP Basic Auth credentials (htpasswd format in `.env`) **Usage**: Simply access https://vert.pivoine.art and drag/drop files to convert between formats. All processing happens in your browser using WebAssembly - no data is uploaded to the server. @@ -392,19 +392,24 @@ docker volume inspect ## Security Configuration ### HTTP Basic Authentication -Scrapyd is protected with HTTP Basic Auth via Traefik middleware: -- Credentials stored in `.env` as `SCRAPY_AUTH_USERS` +Protected services (Scrapy, VERT, Proxy dashboard) use HTTP Basic Auth via Traefik middleware: +- **Shared credentials** stored in `.env` as `AUTH_USERS` - Format: `username:$apr1$hash` (Apache htpasswd format) - Generate new hash: `openssl passwd -apr1 'your_password'` - Remember to escape `$` signs with `$$` in `.env` files +**Protected Services:** +- Scrapy (scrapyd + UI) +- VERT (file converter) +- Traefik Proxy dashboard + **To update credentials:** ```bash # Generate hash echo "username:$(openssl passwd -apr1 'new_password')" -# Update .env -SCRAPY_AUTH_USERS=username:$$apr1$$hash$$here +# Update .env with shared credentials +AUTH_USERS=username:$$apr1$$hash$$here # Sync to VPS rsync -avzhe ssh .env root@vps:~/Projects/docker-compose/ diff --git a/proxy/compose.yaml b/proxy/compose.yaml index b98d49c..cd4d7fb 100644 --- a/proxy/compose.yaml +++ b/proxy/compose.yaml @@ -81,7 +81,7 @@ services: - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver' - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure' - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.service=api@internal' - - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${PROXY_AUTH_USERS}' + - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}' - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${PROXY_COMPOSE_PROJECT_NAME}-auth' - 'traefik.http.services.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080' - 'traefik.docker.network=${NETWORK_NAME}' diff --git a/scrapy/compose.yaml b/scrapy/compose.yaml index 9addc2b..caf76fd 100644 --- a/scrapy/compose.yaml +++ b/scrapy/compose.yaml @@ -22,7 +22,7 @@ services: - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.entrypoints=web-secure' - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.priority=100' - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-stripprefix.stripprefix.prefixes=/scrapyd' - - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth.basicauth.users=${SCRAPY_AUTH_USERS}' + - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth.basicauth.users=${AUTH_USERS}' - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure-compress.compress=true' - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.middlewares=${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth,${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-stripprefix,${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure-compress' - 'traefik.http.services.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.loadbalancer.server.port=6800' @@ -78,7 +78,7 @@ services: - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.rule=Host(`${SCRAPY_TRAEFIK_HOST}`)' - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.tls.certresolver=resolver' - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.entrypoints=web-secure' - - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth.basicauth.users=${SCRAPY_AUTH_USERS}' + - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth.basicauth.users=${AUTH_USERS}' - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure-compress.compress=true' - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.middlewares=${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth,${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure-compress' - 'traefik.http.services.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.loadbalancer.server.port=3000' diff --git a/vert/compose.yaml b/vert/compose.yaml index 77566f1..36044b8 100644 --- a/vert/compose.yaml +++ b/vert/compose.yaml @@ -12,7 +12,7 @@ services: labels: - 'traefik.enable=${VERT_TRAEFIK_ENABLED}' # Middlewares (used by dynamic config) - - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${VERT_AUTH_USERS}' + - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}' - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true' # Service definition - 'traefik.http.services.${VERT_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=80'