From acead282dae719372e889c43c7cdbfa5cb6d26ed Mon Sep 17 00:00:00 2001
From: Vyacheslav Semin <vyacheslav.semin@onlyoffice.com>
Date: Wed, 22 Nov 2023 14:56:48 +0300
Subject: [PATCH] Add the ability to restrict access to info page (#101)

---
 Dockerfile                 | 2 +-
 Dockerfile.noplugins       | 2 +-
 README.md                  | 2 ++
 proxy-docker-entrypoint.sh | 5 +++++
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index bd158734..3d2636b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -63,7 +63,7 @@ ENV DOCSERVICE_HOST_PORT=localhost:8000 \
     NGINX_WORKER_CONNECTIONS=4096
 EXPOSE 8888
 RUN yum -y updateinfo && \
-    yum -y install gettext nginx && \
+    yum -y install gettext nginx httpd-tools && \
     yum clean all && \
     rm -f /var/log/*log
 COPY --chown=ds:ds config/nginx/nginx.conf /etc/nginx/nginx.conf
diff --git a/Dockerfile.noplugins b/Dockerfile.noplugins
index b6736b0e..dbb16b9b 100644
--- a/Dockerfile.noplugins
+++ b/Dockerfile.noplugins
@@ -57,7 +57,7 @@ ENV DOCSERVICE_HOST_PORT=localhost:8000 \
     NGINX_WORKER_CONNECTIONS=4096
 EXPOSE 8888
 RUN yum -y updateinfo && \
-    yum -y install gettext nginx && \
+    yum -y install gettext nginx httpd-tools && \
     yum clean all && \
     rm -f /var/log/*log
 COPY --chown=ds:ds config/nginx/nginx.conf /etc/nginx/nginx.conf
diff --git a/README.md b/README.md
index d1225ff6..c79c8123 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,8 @@ Below is the complete list of parameters for `onlyoffice/docs-proxy`.
 - **NGINX_WORKER_CONNECTIONS**: Defines the nginx config [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive. Defaults to `4096`.
 - **SECURE_LINK_SECRET**: Defines secret for the nginx config directive [secure_link_md5](http://nginx.org/ru/docs/http/ngx_http_secure_link_module.html#secure_link_md5). Defaults to `verysecretstring`.
 - **INFO_ALLOWED_IP**: Defines ip addresses for accessing the info page. You can specify multiple values separated by a space.
+- **INFO_ALLOWED_USER**: Defines user name for accessing the info page. If not set to, [Nginx Basic Authentication](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html) will not be applied to access the info page.
+- **INFO_ALLOWED_PASSWORD**: Defines user password for accessing the info page. Used if `INFO_ALLOWED_USER` is set.
 
 Below is the complete list of parameters for `onlyoffice/docs-docservice`, `onlyoffice/docs-converter`.
 - **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.
diff --git a/proxy-docker-entrypoint.sh b/proxy-docker-entrypoint.sh
index a181e044..600d7245 100755
--- a/proxy-docker-entrypoint.sh
+++ b/proxy-docker-entrypoint.sh
@@ -21,4 +21,9 @@ if [[ -n "$INFO_ALLOWED_IP" ]]; then
     sed -i '/(info)/a\  allow '$ip'\;' /tmp/proxy_nginx/includes/ds-docservice.conf
   done
 fi
+if [[ -n "$INFO_ALLOWED_USER" ]]; then
+  htpasswd -c -b /tmp/auth "${INFO_ALLOWED_USER}" "${INFO_ALLOWED_PASSWORD:-password}"
+  sed -i '/(info)/a\  auth_basic \"Authentication Required\"\;' /tmp/proxy_nginx/includes/ds-docservice.conf
+  sed -i '/auth_basic/a\  auth_basic_user_file \/tmp\/auth\;' /tmp/proxy_nginx/includes/ds-docservice.conf
+fi
 exec nginx -c /tmp/proxy_nginx/nginx.conf -g 'daemon off;'