Add docs for HTTP basic auth

README.md

@@ -19,14 +19,71 @@ Docker image `sourcegraph/lang-python` from Docker Hub.
 
 ### 🔐 Secure deployment 🔐
 
-We recommend deploying the language server behind an auth proxy or firewall and
-treating it like an authenticated user because anyone that connects to the
-language server can access resources such as private code that the language
-server has access to.
-
-Make sure you set `python.sourcegraphUrl` to the URL that the language
-server should use to reach Sourcegraph, which is likely different from the URL
-that end users use.
+If you have private code, we recommend deploying the language server behind an
+auth proxy (such as the example below using HTTP basic authentication in NGINX), a firewall, or a VPN.
+
+### HTTP basic authentication
+
+You can prevent unauthorized access to the language server by enforcing HTTP basic authentication in nginx, which comes with the sourcegraph/server image. At a high level, you'll create a secret then put it in both the nginx config and in your Sourcegraph global settings so that logged-in users are authenticated when their browser makes requests to the Python language server.
+
+Here's how to set it up:
+
+Create an `.htpasswd` file in the Sourcegraph config directory with one entry:
+
+```
+$ htpasswd -c ~/.sourcegraph/config/.htpasswd langserveruser
+New password:
+Re-type new password:
+Adding password for user langserveruser
+```
+
+Add a location directive the [nginx.conf](https://docs.sourcegraph.com/admin/nginx) that will route requests to the Python language server:
+
+```nginx
+...
+http {
+    ...
+    server {
+        ...
+        location / {
+            ...
+        }
+
+        location /python {
+            proxy_pass http://host.docker.internal:4288;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+
+            auth_basic "basic authentication is required to access the language server";
+            auth_basic_user_file /etc/sourcegraph/.htpasswd;
+        }
+    }
+}
+```
+
+- If you're running the quickstart on Linux, change `host.docker.internal` to the output of `ip addr show docker0 | grep -Po 'inet \K[\d.]+'`.
+- If you're using [Kubernetes](#using-kubernetes) (e.g. [deploy-sourcegraph](https://github.com/sourcegraph/deploy-sourcegraph)), change `host.docker.internal` to `lang-python`.
+
+Add these to your Sourcegraph global settings:
+
+```
+  "python.serverUrl": "ws://langserveruser:PASSWORD@host.docker.internal:7080/python",
+  "python.sourcegraphUrl": "http://host.docker.internal:7080",
+```
+
+Fill in the `PASSWORD` that you created above.
+
+- If you're running the quickstart on Linux, change `host.docker.internal` to the output of `ip addr show docker0 | grep -Po 'inet \K[\d.]+'`.
+- If you're using [Kubernetes](#using-kubernetes) (e.g. [deploy-sourcegraph](https://github.com/sourcegraph/deploy-sourcegraph)):
+  - `python.serverUrl` is the address of the Python language server from the perspective of a user's browser (e.g. https://sourcegraph.example.com/python)
+  - `python.sourcegraphUrl` is the address of the Sourcegraph instance from the perspective of the Python language server (e.g. http://sourcegraph-frontend:30080)
+
+Finally, restart the sourcegraph/server container (or nginx deployment if deployed to Kubernetes) to pick up the configuration change.
+
+After deploying the language server, unauthenticated access to `http://localhost:7080/python` (or https://sourcegraph.example.com/python) should be blocked, but code intelligence should work when you're logged in.
+
+You can always revoke the `PASSWORD` by deleting the `.htpasswd` file and restarting nginx.
 
 ### Using Docker