Password protected server option

[ghost]

I am trying yo put user and pass to my Sigal installation (through apache), but I don't know how to protect the sigal port.

Have Sigal a password (user and pass) option? If it doesn't have, please add that, could be a great customization item.

Thanks

[saimn]

Sigal simply generates HTML pages, there is no server process that could handle a password protection. So the password has to be handled in your web server (Apache, Nginx, ...).

[ghost]

Do you have idea how can I generate a password in my web server (Apache)? Thanks :)

[saimn]

There are many resources on this, if you search for Apache+htpassword.
Maybe https://httpd.apache.org/docs/2.2/en/howto/auth.html#gettingitworking ?

[ghost]

Yes, thanks, but htpasswd only is useful to regular links like mydomain.com, but if you want to protect a port (like mydomain.com:8085 with username and pass) there are too few info about that on internet :(

[saimn]

I don't know much about Apache configuration sorry. Closing as it is not related to Sigal.

[anarcat]

So let's say I know how to configure a webserver with password protection. :) my gallery is in /var/www/sigal/pictures and gets built in /var/www/sigal/_build, as expected. I can use Apache to make /var/www/sigal/_build private, using a directive like:

    <Directory /var/www/sigal/_build>
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/htpasswd
        Require valid-user
    </Directory>

So far so good: I have a private gallery - yay! But what if I want only a part of the gallery (say foo/) to be private? This is a naive solution:

    <Directory /var/www/sigal/_build/foo>
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/htpasswd
        Require valid-user
    </Directory>

This "works" in that the images in the gallery from that directory do not get shown. However, it "fails" because the root album also prompts for the password, which is a terrible user experience....

So one trick I have used to workaround that is to then whitelist some of the files. For example, I can say that all files named public.jpg can actually be browsed even if they are in the private folder, like so:

    <Directory /var/www/sigal/_build/foo>
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/htpasswd
        Require valid-user
    </Directory>

    <Files "public.jpg">
        Satisfy any
    </Files>

Then I just need to make sure, through the album information mechanism, that the right image is chosen as a thumbnail for that album, for example, in foo/index.md:

Title: Private section
Thumbnail: public.jpg

et voilà! you now have a hybrid private/public gallery. I wouldn't recommend this for highly sensitive pictures; I don't know exactly how sigal works, so some stuff may leak out in other ways. But it's a good simple way to add password-protection over certain areas with minimal configuration.

I'm not sure this is the right place to document this - it seems to me it would be a good addition to the manual, but i'm not sure where it would belong, so I figured I would start with where I ended up looking for that feature. :)

[saimn]

Hmm I agree this is not ideal (if the album thumbnail is in a private directory then the root album also prompts for the password).

Maybe something that could be done, if you use this frequently, is to write a plugin that would take care of all the steps: create the .htaccess files with the directives to protect a directory, and allow access of the album thumbnail by the parent directory (or maybe copy this thumbnail in another hidden sub-directory) ?

[anarcat]

well, that's essentially what i did above: the files are in a private subdirectory, but there's an exception in the webserver config for the thumbnail file. it requires sync'd configurations between the gallery (index.md) and web browser (.htaccess) but at least it works...

not sure there really is a better way at all..

[saimn]

Yep I got it, sorry if I was not clear. My suggestion was that you could write a plugin to generate the htaccess files instead of having to do it manually.

[anarcat]

Riight, okay. That would hook into gallery_build i guess? We'd need some sort of datastructure in the config file as well to describe accesses...

Honestly, it seems like reinventing the wheel a bit. The way I got it working here we don't need to write any code in sigal, and it works across webservers, provided that you know how to configure them. If we write a plugin for this, next thing we know you'll get asked to write support for Nginx, Cherokee and who knows what webserver. ;)

What I would argue for is a documentation blurb about this, but I don't know where to put that.

[saimn]

It was just an idea, it could be handy for people that don't want to learn about apache config (or others) but yeah maybe it's overkill. Documentation about this would be good to have anyway, what about creating a FAQ page ?

[anarcat]

a FAQ sounds good. but then you're the one who knows more what those FAQs are. ;) i can start one with just this question if you want...

[saimn]

Album/gallery protection would be a good first item for a FAQ, so you are welcome to create the page :)

[anarcat]

done, see #285. i took the liberty of reusing your first comment here, i hope that's alright as is.

[anarcat]

ah - something else I noticed: when you use the feeds plugin, it leaks the filenames of the private images - not the images per se, because those are still protected by a password, but it could still be sensitive...

[drzraf]

Mentioning #457