feat(nginx-proxy): Add wildcard HTTP auth support for WordPress multisite #298
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix bug where blog.example.com incorrectly checked for _wildcard.blog.example.com instead of _wildcard.example.com. Changes: - 4+ part domains: check 3-part wildcard first, then 2-part fallback - 2-3 part domains: check 2-part wildcard directly - Fixed template formatting to match original style - Updated README with corrected lookup table
There was a problem hiding this comment.
Pull request overview
This pull request adds wildcard HTTP basic authentication support specifically designed for WordPress multisite subdomain configurations. It enables a single _wildcard.domain.com htpasswd file to protect both the main domain and all its subdomains.
Key changes:
- Implements cascading wildcard htpasswd lookup logic with support for multi-level TLDs (e.g.,
.co.in,.com.au) - Adds comprehensive documentation explaining the wildcard naming convention and lookup order
- Includes cleanup of trailing whitespace in unrelated parts of the template
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| nginx-proxy/nginx.tmpl | Implements wildcard htpasswd lookup with cascading logic for 2-4+ part domain names, replacing simple default fallback |
| nginx-proxy/README.md | Adds new README with detailed documentation of HTTP auth features, wildcard naming conventions, lookup order, and usage examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+87
to
+147
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file {{ ($wildcardHtpasswd3) }}; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} | ||
| {{ else }} | ||
| {{/* Fallback: check last 2 parts (e.g., _wildcard.co.in for blog.domain.co.in) */}} | ||
| {{ $baseDomain2 := printf "%s.%s" (index $hostParts $idx2) (index $hostParts $idx1) }} | ||
| {{ $wildcardHtpasswd2 := printf "/etc/nginx/htpasswd/_wildcard.%s" $baseDomain2 }} | ||
| {{ if (exists $wildcardHtpasswd2) }} | ||
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file {{ ($wildcardHtpasswd2) }}; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} | ||
| {{ else if (exists "/etc/nginx/htpasswd/default") }} | ||
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file /etc/nginx/htpasswd/default; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} | ||
| {{ end }} | ||
| {{ end }} | ||
| {{ else if ge $partsLen 2 }} | ||
| {{/* For 2-3 part domains, check last 2 parts (e.g., _wildcard.example.com for blog.example.com or example.com) */}} | ||
| {{ $idx2 := sub $partsLen 2 }} | ||
| {{ $idx1 := sub $partsLen 1 }} | ||
| {{ $baseDomain2 := printf "%s.%s" (index $hostParts $idx2) (index $hostParts $idx1) }} | ||
| {{ $wildcardHtpasswd2 := printf "/etc/nginx/htpasswd/_wildcard.%s" $baseDomain2 }} | ||
| {{ if (exists $wildcardHtpasswd2) }} | ||
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file {{ ($wildcardHtpasswd2) }}; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} | ||
| {{ else if (exists "/etc/nginx/htpasswd/default") }} | ||
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file /etc/nginx/htpasswd/default; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} | ||
| {{ end }} | ||
| {{ else if (exists "/etc/nginx/htpasswd/default") }} | ||
| {{/* Single-part hostname - use default */}} | ||
| auth_basic "Restricted {{ .Host }}"; | ||
| auth_basic_user_file /etc/nginx/htpasswd/default; | ||
| {{ if (exists (printf "/etc/nginx/vhost.d/%s_acl" .Host)) }} | ||
| include {{ printf "/etc/nginx/vhost.d/%s_acl" .Host}}; | ||
| {{ else if (exists "/etc/nginx/vhost.d/default_acl") }} | ||
| include /etc/nginx/vhost.d/default_acl; | ||
| {{ end }} |
There was a problem hiding this comment.
The authentication configuration block (auth_basic, auth_basic_user_file, and ACL includes) is duplicated multiple times throughout this wildcard logic. Consider extracting this into a template macro or function to reduce duplication and improve maintainability. This pattern appears at least 6 times in the new code (lines 87-93, 99-105, 107-113, 123-129, 131-137, 141-147).
Comment on lines
+226
to
+227
| '"$request" $status $body_bytes_sent ' | ||
| '"$http_referer" "$http_user_agent"'; |
There was a problem hiding this comment.
The indentation has been changed to use tabs on these lines, which appears inconsistent with the rest of the file. Please verify that the indentation style is intentional and matches the project's coding standards.
Suggested change
| '"$request" $status $body_bytes_sent ' | |
| '"$http_referer" "$http_user_agent"'; | |
| '"$request" $status $body_bytes_sent ' | |
| '"$http_referer" "$http_user_agent"'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds wildcard htpasswd file support to enable HTTP basic authentication across WordPress multisite domains using a single htpasswd file.
Features
_wildcard.domain.comapplies HTTP auth todomain.comAND all subdomains (*.domain.com).co.in,.com.au, and other multi-level TLDsLookup Logic
blog.domain.co.in(4 parts)_wildcard.domain.co.in→_wildcard.co.in→defaultdomain.co.in(3 parts)_wildcard.co.in→defaultblog.example.com(3 parts)_wildcard.example.com→defaultexample.com(2 parts)_wildcard.example.com→default