From 34845ea56f82e10441857e546431581b246c55d4 Mon Sep 17 00:00:00 2001 From: Roman Vynar Date: Fri, 9 Sep 2016 01:15:47 +0300 Subject: [PATCH] Full SSL/password support now including QAN. --- CHANGELOG.md | 6 +++--- docker-compose.yml | 4 ++-- entrypoint.sh | 4 ++-- nginx.conf | 9 +++++---- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 289721d06..7aecd71ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,11 @@ Percona Monitoring and Management (PMM) Server -v1.0.4 unreleased 2016-09-02 +v1.0.4 unreleased 2016-09-08 * Grafana 3.1.1. * Prometheus 1.0.2. -* Added SSL and HTTP password support. Currently, only Prometheus, Consul APIs and QAN app are protected. -* No extra `alias` label for Prometheus. +* Added SSL and HTTP password protection. +* No extra `alias` label on Prometheus. * Query Analytics App: * added sparkline charts to metrics * added search by query fingerprint diff --git a/docker-compose.yml b/docker-compose.yml index 7c80bad74..799261442 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,5 +27,5 @@ services: - METRICS_RETENTION=720h - METRICS_MEMORY=262144 - METRICS_RESOLUTION=1s -# - HTTP_USER=pmm -# - HTTP_PASSWORD=abc123 +# - SERVER_USER=pmm +# - SERVER_PASSWORD=abc123 diff --git a/entrypoint.sh b/entrypoint.sh index a17fbf460..39d37eed6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -9,8 +9,8 @@ if [ -e /etc/nginx/ssl/server.crt ] && [ -e /etc/nginx/ssl/server.key ]; then fi fi -if [ -n "$HTTP_PASSWORD" ]; then - echo "${HTTP_USER:-pmm}:$(openssl passwd -apr1 $HTTP_PASSWORD)" > /etc/nginx/.htpasswd +if [ -n "$SERVER_PASSWORD" ]; then + echo "${SERVER_USER:-pmm}:$(openssl passwd -apr1 $SERVER_PASSWORD)" > /etc/nginx/.htpasswd sed -i 's/auth_basic off/auth_basic "PMM Server"/' /etc/nginx/nginx.conf # Disable Grafana HTTP auth diff --git a/nginx.conf b/nginx.conf index d6516fbe0..d8ae35ad0 100644 --- a/nginx.conf +++ b/nginx.conf @@ -18,6 +18,10 @@ http { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } server { listen *:80; server_name _; @@ -66,11 +70,8 @@ http { proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Connection $connection_upgrade; proxy_read_timeout 86400; - - # Temporary until agent supports this. - auth_basic off; } } }