Enable HTTP basic auth by default.

README.md

@@ -2,7 +2,7 @@
 
 Note: The standalone `parsedmarc` docker image on [DockerHub @ accolon/parsedmarc](https://hub.docker.com/r/accolon/parsedmarc) can also be used, if interested.
 
-This stack is based on [patschi's work](https://github.com/patschi/parsedmarc-dockerized) but also builds for and runs on ARM64 systems, e.g. the OCI Cloud Free Tier with Ampere CPUs. It includes a few other tweaks, too.
+This stack is based on [patschi's work](https://github.com/patschi/parsedmarc-dockerized) but also builds for and runs on ARM64 systems, e.g. the OCI Cloud Free Tier with Ampere CPUs. It includes a few other tweaks, too: It's running on port 443 by default (can be changed in `docker-compose.yml`) and has HTTP basic authentication enabled (default user/pw is admin/admin).
 
 ## Setup:
 1. Get basics together:
@@ -25,7 +25,12 @@ GEOIPUPDATE_FREQUENCY=24
 EOF
 ```
 
-4. Finally, we start up the stack and wait:
+4. Change credentials for HTTP basic auth, e.g. this way (needs apache2-utils or httpd-tools):
+```
+htpasswd -c data/conf/nginx/htpasswd USERNAME
+```
+
+5. Finally, we start up the stack and wait:
 ```
 docker-compose up -d
 ```
@@ -35,7 +40,7 @@ docker-compose up -d
 1. First, containers of the stack are created and started. This might take a while, as several containers have dependencies on others being in a healthy state (meaning that its service must be fully started).
 2. During the startup of the `parsedmarc-init` container, all required steps and preparations are being taken care of - like generating a self-signed certificate for the included `nginx` webserver.
 3. Once the Kibana container - where you can view the dashboards - is started up, the corresponding parsedmarc dashboards are automatically imported into Kibana by the `parsedmarc-init` container.
-4. After some while, when everything is up and running, you can then access Kibana and its dashboards under the shipped reverse proxy at `https://HOST_IP:9999`. (Make sure to use HTTPS!)
+4. After some while, when everything is up and running, you can then access Kibana and its dashboards under the shipped reverse proxy at `https://HOST_IP` (Make sure to use HTTPS!). There will be a warning due to the self-signed certificate. The default username/password for HTTP basic authentication is admin/admin. You should change this!
 
 ## Credits
 

data/conf/nginx/htpasswd

@@ -0,0 +1 @@
+admin:$apr1$VF255VLe$A5HSo8COu00g0IKCseOS61

data/conf/nginx/site.conf

@@ -12,18 +12,19 @@ server {
 	ssl_session_tickets off;
 
 	# modern configuration. tweak to your needs.
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers off;
 
 	add_header X-Frame-Options SAMEORIGIN;
 	add_header X-Content-Type-Options nosniff;
 
 	# Uncomment this next line if you are using a signed, trusted cert
 	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 
-	#auth_basic "Login required";
-	#auth_basic_user_file /etc/nginx/htpasswd;
+	# Enable a simple auth. User/PW is admin/admin by default, CHANGE THIS!
+	auth_basic "Login required";
+	auth_basic_user_file /etc/nginx/htpasswd;
 
 	location / {
 		proxy_pass http://kibana:5601;

docker-compose.yml

@@ -94,10 +94,11 @@ services:
     image: nginx:alpine
     restart: always
     ports:
-      - "9999:443"
+      - "443:443" # change this if port 443 is already used
     volumes:
       - ./data/conf/nginx/site.conf:/etc/nginx/conf.d/default.conf:ro
       - ./data/conf/nginx/ssl/:/etc/nginx/ssl/:ro
+	  - ./data/conf/nginx/htpasswd:/etc/nginx/htpasswd:ro
     networks:
       - parsedmarc-network
     depends_on: