feat: vert auth

2025-11-06 18:05:01 +01:00
parent 2092fbde23
commit 17512d111e
4 changed files with 14 additions and 9 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -265,7 +265,7 @@ VERT universal file format converter:
 - **PUB_ENV**: `production` (environment mode)
 - **PUB_DISABLE_ALL_EXTERNAL_REQUESTS**: `true` (privacy mode)
 - **VERT_SABLIER_ENABLED**: `true` (enable scale-to-zero)
- **VERT_AUTH_USERS**: HTTP Basic Auth credentials (htpasswd format in `.env`)
+- **AUTH_USERS**: Shared HTTP Basic Auth credentials (htpasswd format in `.env`)

 **Usage**:
 Simply access https://vert.pivoine.art and drag/drop files to convert between formats. All processing happens in your browser using WebAssembly - no data is uploaded to the server.
@@ -392,19 +392,24 @@ docker volume inspect <volume_name>
 ## Security Configuration

 ### HTTP Basic Authentication
-Scrapyd is protected with HTTP Basic Auth via Traefik middleware:
- Credentials stored in `.env` as `SCRAPY_AUTH_USERS`
+Protected services (Scrapy, VERT, Proxy dashboard) use HTTP Basic Auth via Traefik middleware:
+- **Shared credentials** stored in `.env` as `AUTH_USERS`
 - Format: `username:$apr1$hash` (Apache htpasswd format)
 - Generate new hash: `openssl passwd -apr1 'your_password'`
 - Remember to escape `$` signs with `$$` in `.env` files

+**Protected Services:**
+- Scrapy (scrapyd + UI)
+- VERT (file converter)
+- Traefik Proxy dashboard
+
 **To update credentials:**
 ```bash
 # Generate hash
 echo "username:$(openssl passwd -apr1 'new_password')"

-# Update .env
-SCRAPY_AUTH_USERS=username:$$apr1$$hash$$here
+# Update .env with shared credentials
+AUTH_USERS=username:$$apr1$$hash$$here

 # Sync to VPS
 rsync -avzhe ssh .env root@vps:~/Projects/docker-compose/
--- a/proxy/compose.yaml
+++ b/proxy/compose.yaml
@@ -81,7 +81,7 @@ services:
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.service=api@internal'
-      - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${PROXY_AUTH_USERS}'
+      - 'traefik.http.middlewares.${PROXY_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
      - 'traefik.http.routers.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${PROXY_COMPOSE_PROJECT_NAME}-auth'
      - 'traefik.http.services.${PROXY_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=8080'
      - 'traefik.docker.network=${NETWORK_NAME}'
--- a/scrapy/compose.yaml
+++ b/scrapy/compose.yaml
@@ -22,7 +22,7 @@ services:
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.entrypoints=web-secure'
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.priority=100'
      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-stripprefix.stripprefix.prefixes=/scrapyd'
-      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth.basicauth.users=${SCRAPY_AUTH_USERS}'
+      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth.basicauth.users=${AUTH_USERS}'
      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure-compress.compress=true'
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.middlewares=${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-auth,${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-stripprefix,${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure-compress'
      - 'traefik.http.services.${SCRAPY_COMPOSE_PROJECT_NAME}-scrapyd-web-secure.loadbalancer.server.port=6800'
@@ -78,7 +78,7 @@ services:
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.rule=Host(`${SCRAPY_TRAEFIK_HOST}`)'
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.tls.certresolver=resolver'
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth.basicauth.users=${SCRAPY_AUTH_USERS}'
+      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth.basicauth.users=${AUTH_USERS}'
      - 'traefik.http.middlewares.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure-compress.compress=true'
      - 'traefik.http.routers.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.middlewares=${SCRAPY_COMPOSE_PROJECT_NAME}-ui-auth,${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure-compress'
      - 'traefik.http.services.${SCRAPY_COMPOSE_PROJECT_NAME}-ui-web-secure.loadbalancer.server.port=3000'
--- a/vert/compose.yaml
+++ b/vert/compose.yaml
@@ -12,7 +12,7 @@ services:
    labels:
      - 'traefik.enable=${VERT_TRAEFIK_ENABLED}'
      # Middlewares (used by dynamic config)
-      - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${VERT_AUTH_USERS}'
+      - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-auth.basicauth.users=${AUTH_USERS}'
      - 'traefik.http.middlewares.${VERT_COMPOSE_PROJECT_NAME}-web-secure-compress.compress=true'
      # Service definition
      - 'traefik.http.services.${VERT_COMPOSE_PROJECT_NAME}-web-secure.loadbalancer.server.port=80'