IxDF Developer Docs

Appearance

Security: Basic HTTP Auth

For security reasons (the app is in debug mode) and content privacy reasons (it's possible to join for free using well-known test cards like 4242), we use Basic HTTP Auth on all non-production sites. You can find the username and password combination on LastPass.

There is only one exception: webhooks routes, since not all services can pass auth check (like GitHub, Stripe, PayPal, Zoom, etc.).

Implementation

It's implemented on nginx level as the cheapest and fastest way to protect the content (e.g., no need to bootstrap a Laravel app to check the auth).

To enable it, an nginx config for a site should include the following line to the location / {} block:

ini
# IxDF: FOR NON-PRODUCTION ENVS ONLY!
include /home/forge/staging.ixdf.dev/current/infrastructure/nginx/snippets/auth_basic.directives.nginx;

Please find more details in the Nginx site config examples (the config is a bit more tricky as we do not want to enable basic auth for webhooks).

As you can find from that included config, the hash for the password is located at the /etc/nginx/.htpasswd file.

Set/update credentials

When choosing a username and password combination, please keep in mind that it should be short, memorable and reflect our company culture.

To set a new password, use the following command:

bash
sudo htpasswd -c /etc/nginx/.htpasswd <USERNAME>

The -c flag tells htpasswd to create a new file. Do not include the -c flag if you are adding additional users to an existing .htpasswd file.

Test the configuration and reload nginx. Before restarting nginx, it's a good practice to test the configuration to ensure that there are no syntax errors. You can do that by running the following command:

bash
sudo nginx -t

If the test is successful, reload nginx to apply the changes:

bash
sudo service nginx reload

After reloading, the new password should be in effect, and the updated credentials will be required to access the protected content.

Please remember to update all the old credentials on last pass, so your colleagues can access the dev sites if they need to.

Removing old credentials

To remove old users you can use the following command:

bash
sudo htpasswd -D /etc/nginx/.htpasswd <USERNAME>

Test the configuration and reload nginx for the changes to take effect.