nginx - simple and native authentication function
Important disclaimer: This solution is not secure! - It is fine for a quick and temporary solution for your local network, but it is not a secure solution for important ressources that are available over the internet.
As a side note: without TLS (HTTPs), the credentials will be sent in plain text, and are easily accessable.
Creating the user
Even though you could do it per hand, it is recommended to use the Apache utility to create the user.
The package needed is called apache2-utils for Debian derivatives and httpd-tools for RHEL derivatives.
sudo htpasswd -c /etc/nginx/htpasswd AzureDiamond # The username is case-sensitive and the path and name of the password file can be changed
Now it is time to choose a secure password:
New password: Re-type new password: Adding password for user AzureDiamond
You now can find the password file with the hashed password in the location of your choice:
cat /etc/nginx/htpasswd AzureDiamond:$apr1$8xZ0m9Yq$NVBN9veofzoV9vBoBK7z40
Side note: You can remove a user with the following command:
sudo htpasswd -D /etc/nginx/htpasswd AzureDiamond # remember to choose the correct file
Change your nginx config
We can now add 2 line to our server or location segment to activate the authentication feature:
auth_basic "You shall not pass!"; auth_basic_user_file /etc/nginx/htpasswd;
Check the nginx config with sudo nginx -t and if it confirms the correct syntax, restart the nginx service with sudo systemctl restart nginx.
You can test it here: https://ittavern.com/azurediamond
Exclude subdirectories
If you, for example, add the authentication to the root directory of your site, you can exclude chosen subdirectories by adding the following line to the location segment:
location /api/ {
auth_basic off;
}
White- / blacklist IPs
More step further, just work with white- and blacklists by adding chosen IPs like this to the chosen segment:
deny 8.8.8.8;
allow 9.9.9.9;
allow 10.10.10.0/24;
deny all;
Special thanks to ruffy, for informing me about the processes behind it and the security risks.
E-Mail
hello@ittavern.com
More reading:
- 23.11.2022 Nginx - simple permanent or temporary redirects
- 17.11.2022 Nginx - check your public IP
- 04.02.2024 Adding a trash can to Linux with trash-cli
- 20.01.2024 Bandwidth Measurement using netcat on Linux
- 14.01.2024 Getting started with rsync - Comprehensive Guide
- 10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
- 22.11.2023 SSH Server Hardening Guide v2