Ensure monitoring is accessible also with basic authentication (#3247)

* Fix Debian 11 bullseye problems with supervisord (kill_supervisord.sh did not work) * Ensure monitoring (/phpstatus) works even with basic authentication enabled * Add tests to make sure /phpstatus works on nginx and apache with basic auth enabled * Fix apache config in supervisord, add test to make sure phpstatus works * Simplify phpstatus test by just reloading webserver Co-authored-by: Gilbertsoft <25326036+gilbertsoft@users.noreply.github.com> Co-authored-by: Randy Fay <randy@randyfay.com>
ddev · Sep 17, 2021 · 0ca78c5 · 0ca78c5
1 parent 1574b48
commit 0ca78c5
Show file tree

Hide file tree

Showing 11 changed files with 61 additions and 11 deletions.
diff --git a/containers/ddev-webserver/ddev-webserver-base-files/etc/nginx/monitoring.conf b/containers/ddev-webserver/ddev-webserver-base-files/etc/nginx/monitoring.conf
@@ -1,12 +1,14 @@
     ## provide a health check endpoint
     location /healthcheck {
+        auth_basic off;
         access_log off;
         stub_status     on;
         keepalive_timeout 0;    # Disable HTTP keepalive
         return 200;
     }
 
     location ~ ^/phpstatus$ {
+        auth_basic off;
         access_log off;
         stub_status     on;
         keepalive_timeout 0;    # Disable HTTP keepalive

diff --git a/containers/ddev-webserver/ddev-webserver-base-files/etc/supervisor/apache.conf b/containers/ddev-webserver/ddev-webserver-base-files/etc/supervisor/apache.conf
@@ -1,10 +1,14 @@
 [program:apache2]
 stopwaitsecs = 20
 startretries=10
-stopsignal = WINCH
-command=/usr/sbin/apache2ctl -k restart -D "FOREGROUND"
+stopsignal = TERM
+command=/usr/sbin/apache2ctl -D "FOREGROUND"
+# Great hints at https://advancedweb.hu/supervisor-with-docker-lessons-learned/
+killasgroup=true
+stopasgroup=true
 priority=6
 stdout_logfile=/proc/self/fd/2
 stdout_logfile_maxbytes=0
 redirect_stderr=true
 exitcodes=0,1
+startsecs=1 # Must stay up 1 sec
diff --git a/containers/ddev-webserver/ddev-webserver-base-files/etc/supervisor/conf.d/supervisor.conf b/containers/ddev-webserver/ddev-webserver-base-files/etc/supervisor/conf.d/supervisor.conf
@@ -1,7 +1,7 @@
 [supervisord]
 logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log)
 loglevel=info                ; (log level;default info; others: debug,warn,trace)
-pidfile=//var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
 nodaemon=false               ; (start in foreground if true;default false)
 
 [eventlistener:child_exit_monitor]

diff --git a/containers/ddev-webserver/ddev-webserver-base-files/usr/local/bin/kill_supervisor.py b/containers/ddev-webserver/ddev-webserver-base-files/usr/local/bin/kill_supervisor.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import sys
 import os
 import signal
@@ -15,14 +15,14 @@ def main():
    while 1:
        write_stdout('READY\n')
        line = sys.stdin.readline()
-       write_stdout('This line kills supervisor: ' + line);
+       write_stdout('This line kills supervisor: ' + line)
        try:
                pidfile = open('/var/run/supervisord.pid','r')
-               pid = int(pidfile.readline());
+               pid = int(pidfile.readline())
                os.kill(pid, signal.SIGQUIT)
        except Exception as e:
                write_stdout('Could not kill supervisor: ' + e.strerror + '\n')
        write_stdout('RESULT 2\nOK')
 if __name__ == '__main__':
    main()
-   import sys
+   import sys
diff --git a/containers/ddev-webserver/ddev-webserver-prod-files/etc/supervisor/apache.conf b/containers/ddev-webserver/ddev-webserver-prod-files/etc/supervisor/apache.conf
@@ -1,10 +1,14 @@
 [program:apache2]
 stopwaitsecs = 20
 startretries=10
-stopsignal = WINCH
-command=/usr/sbin/apache2ctl -k restart -D "FOREGROUND"
+stopsignal = TERM
+command=/usr/sbin/apache2ctl -D "FOREGROUND"
+# Great hints at https://advancedweb.hu/supervisor-with-docker-lessons-learned/
+killasgroup=true
+stopasgroup=true
 priority=6
 stdout_logfile=/proc/self/fd/2
 stdout_logfile_maxbytes=0
 redirect_stderr=true
 exitcodes=0,1
+startsecs=1 # Must stay up 1 sec
diff --git a/containers/ddev-webserver/ddev-webserver-prod-files/etc/supervisor/conf.d/supervisor.conf b/containers/ddev-webserver/ddev-webserver-prod-files/etc/supervisor/conf.d/supervisor.conf
@@ -1,7 +1,7 @@
 [supervisord]
 logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log)
 loglevel=info                ; (log level;default info; others: debug,warn,trace)
-pidfile=//var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
 nodaemon=false               ; (start in foreground if true;default false)
 
 [eventlistener:child_exit_monitor]

diff --git a/containers/ddev-webserver/tests/ddev-webserver/php_webserver.bats b/containers/ddev-webserver/tests/ddev-webserver/php_webserver.bats
@@ -127,3 +127,32 @@
   run docker exec -t $CONTAINER_NAME disable_xdebug
   run docker exec -t $CONTAINER_NAME disable_xhprof
 }
+
+@test "verify htaccess doesn't break ${WEBSERVER_TYPE} php${PHP_VERSION}" {
+  docker cp tests/ddev-webserver/testdata/nginx/auth.conf ${CONTAINER_NAME}:/etc/nginx/common.d
+  docker cp tests/ddev-webserver/testdata/nginx/junkpass ${CONTAINER_NAME}:/tmp
+  docker cp tests/ddev-webserver/testdata/apache/auth.conf ${CONTAINER_NAME}:/etc/apache2/conf-enabled
+  # Reload webserver
+  if [ "${WEBSERVER_TYPE}" = "apache-fpm" ]; then
+    docker exec ${CONTAINER_NAME} apache2ctl -k graceful
+  else
+    docker exec ${CONTAINER_NAME} nginx -s reload
+  fi
+  sleep 2
+  # Make sure we can hit /phpstatus without auth
+  run curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:$HOST_HTTP_PORT/phpstatus
+  echo "# phpstatus status=$output"
+  [ "$status" = 0 ]
+  [ "$output" = "200" ]
+  curl --fail -s http://127.0.0.1:$HOST_HTTP_PORT/phpstatus | egrep "idle processes|php is working"
+  # Make sure the auth requirement is actually working
+  curlstmt="curl --fail -s -o /dev/null -w "%{http_code}" http://127.0.0.1:$HOST_HTTP_PORT/test/phptest.php"
+  run ${curlstmt}
+  [ "$output" = "401" ]
+
+  # Make sure it works with auth when hitting phptest.php
+  AUTH=$(echo -ne "junk:junk" | base64)
+  curl --fail --header "Authorization: Basic $AUTH" 127.0.0.1:$HOST_HTTP_PORT/test/phptest.php
+  docker exec ${CONTAINER_NAME} rm /etc/nginx/common.d/auth.conf /etc/apache2/conf-enabled/auth.conf
+  docker exec ${CONTAINER_NAME} kill -HUP 1
+}
diff --git a/containers/ddev-webserver/tests/ddev-webserver/testdata/apache/auth.conf b/containers/ddev-webserver/tests/ddev-webserver/testdata/apache/auth.conf
@@ -0,0 +1,8 @@
+<Directory /var/www/html>
+AuthType Basic
+AuthName "Restricted Files"
+# (Following line optional)
+AuthBasicProvider file
+AuthUserFile "/tmp/junkpass"
+Require valid-user
+</Directory>
diff --git a/containers/ddev-webserver/tests/ddev-webserver/testdata/nginx/auth.conf b/containers/ddev-webserver/tests/ddev-webserver/testdata/nginx/auth.conf
@@ -0,0 +1,2 @@
+auth_basic   "Restricted Files";
+auth_basic_user_file    "/tmp/junkpass";
diff --git a/containers/ddev-webserver/tests/ddev-webserver/testdata/nginx/junkpass b/containers/ddev-webserver/tests/ddev-webserver/testdata/nginx/junkpass
@@ -0,0 +1 @@
+junk:$apr1$NvBN0a6P$lqw25K4bRP.JmyyD1DKUA/
diff --git a/pkg/version/version.go b/pkg/version/version.go
@@ -41,7 +41,7 @@ var DockerComposeFileFormatVersion = "3.6"
 var WebImg = "drud/ddev-webserver"
 
 // WebTag defines the default web image tag for drud dev
-var WebTag = "20210910_mutagen_state_neighboring" // Note that this can be overridden by make
+var WebTag = "20210916_gilbertsoft_phpstatus" // Note that this can be overridden by make
 
 // DBImg defines the default db image used for applications.
 var DBImg = "drud/ddev-dbserver"