From 49a9179c6487b40e0eb2b02f5eedcf789c9427a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 13 Dec 2024 15:39:38 +0100
Subject: [PATCH] nginx: Support basic authentication for /admin/forgejo/event.

This allows the Forgejo instance at Codeberg to send POST requests for
its web hooks when creating, modifying, or closing pull requests.

* nginx-config/nginx-locations.conf: Add location block for
/admin/forgejo/event.

Co-authored-by: Romain GARBAGE <romain.garbage@inria.fr>
---
 nginx-config/nginx-locations.conf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/nginx-config/nginx-locations.conf b/nginx-config/nginx-locations.conf
index 17358c3..aa01d08 100644
--- a/nginx-config/nginx-locations.conf
+++ b/nginx-config/nginx-locations.conf
@@ -11,6 +11,31 @@ location = /nix-cache-info { proxy_pass http://localhost:3000; }
 
 # Cuirass.
 
+# Enable HTTP Basic Authentication for events coming from the Forgejo
+# instance at Codeberg.
+location ~ ^/admin/forgejo/event {
+    auth_basic "Forgejo";
+
+    # The file below must contain "USER:PASSWORD" lines, where
+    # PASSWORD is the password encrypted with crypt(3), available from
+    # the command line as "openssl password".  Make sure to:
+    #
+    #   chown nginx:nginx /etc/nginx-htpasswd
+    #
+    # The Forgejo instance must itself send HTTP headers like:
+    #
+    #   Authorization: Basic STR
+    #
+    # where STR is the base64-encoded string obtained with:
+    #
+    #   echo -n "USER:CLEARTEXTPASSWORD" | base64
+    #
+    # According to <https://datatracker.ietf.org/doc/html/rfc7617#section-2>,
+    # CLEARTEXTPASSWORD must not contain control characters.
+    auth_basic_user_file /etc/nginx-htpasswd;
+    proxy_pass http://localhost:8081;
+}
+
 # The included file should define the variable $GITLAB_TOKEN using the
 # set directive: "set $GITLAB_TOKEN value;". It should be created
 # manually.
-- 
GitLab