I am using devpi-lockdown and logging in with user and pass using nginx works successfully.
The problem i have is that when i login, the user can see all other users and package indexes.
Is this normal behaviour?
I want the user only to see their own account with all the package indexes below.
Maybe a quicker feature to implement is to say for what users the web-view can be loaded?
(for example only root can see this)
The users i have:
- root/pypi
- user-a/mono
- user-b/mono
For example when user-a logs in, they can see root/pypi and users-b while they only should be able to see user-a with the index mono.
versions:
devpi-lockdown-2.0.0
devpi-server-6.9.0
devpi-web-4.2.0
my nginx.conf:
# HTTP server redirects all traffic to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
# this redirects to the login view when not logged in
recursive_error_pages on;
error_page 401 = @error401;
location @error401 {
return 302 /+login?goto_url=$request_uri;
}
# lock down everything by default
auth_request /+authcheck;
# the location to check whether the provided infos authenticate the user
location = /+authcheck {
internal;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-outside-url $scheme://$http_host; # copy the value from your existing configuration
proxy_set_header X-Real-IP $remote_addr; # copy the value from your existing configuration
proxy_pass http://devpi:3141;
}
location / {
# workaround to pass all requests to / through to the named location below
error_page 418 = @proxy_to_app;
return 418;
}
location @proxy_to_app {
proxy_pass http://devpi:3141;
# the $x_scheme variable is only required if nginx is behind another
# proxy (often the case in container environments),
# if your nginx is the only proxy server, the $scheme variable can be
# used and the map $http_x_forwarded_proto $x_scheme above be removed
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-outside-url $scheme://$http_host;
proxy_set_header X-Real-IP $remote_addr;
}
}
I am using devpi-lockdown and logging in with user and pass using nginx works successfully.
The problem i have is that when i login, the user can see all other users and package indexes.
Is this normal behaviour?
I want the user only to see their own account with all the package indexes below.
Maybe a quicker feature to implement is to say for what users the web-view can be loaded?
(for example only root can see this)
The users i have:
For example when user-a logs in, they can see root/pypi and users-b while they only should be able to see user-a with the index mono.
versions:
devpi-lockdown-2.0.0
devpi-server-6.9.0
devpi-web-4.2.0
my nginx.conf: