Complete steps to configure basic user authentication at the Nginx level

Preface

Application scenario: probably the internal website needs to be accessible to external users, but the visitor's website account permissions cannot be given, so restrictions are imposed at the nginx level. For example, in outsourcing projects, internal employees have accounts to operate documents, and outsourced employees do not have internal accounts, but they need to be able to see the documents. Therefore, setting up user authentication at the nginx level is the best and simplest option. In most cases, employers will not open an account with basic access rights for outsourced employees.

Prerequisites for user authentication at the nginx level: You need to have a corresponding password creation program, such as apache2-utils (Debian, Ubuntu) or httpd-tools (RHEL / CentOS / Oracle Linux). Different operating systems require different software.

Create an account password file

Use the command sudo htpasswd -c /etc/apache2/.htpasswd user1 to create the first account, and then press Enter to enter the password. Use the same command without the -c parameter to create the second user and password. The -c parameter is for creating a file. You do not need to create the file again in the second and subsequent commands.
Confirm that the file and account information are generated successfully. Use the command cat /etc/apache2/.htpasswd to view the file content. It should be the account and encrypted password, such as: user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0 , etc.

Configure nginx for http basic user authentication

Use the auth_basic directive to specify the name of the protected area, which will be displayed in the account and password pop-up window. Use the auth_basic_user_file directive to set the .htpasswd path with the account and password information. For example, configure:

location /api {
 auth_basic "Administrator's Area";
 auth_basic_user_file /etc/apache2/.htpasswd; 
}

In addition, if a block does not want to inherit the entire authentication system, it can set auth_basic off in the block, that is, user authentication is turned off. For example, configure:

server {
 ...
 auth_basic "Administrator's Area";
 auth_basic_user_file conf/htpasswd;

 location /public/ {
  auth_basic off;
 }
}

Combine authentication with access restrictions by IP address

HTTP Basic Authentication can be effectively combined with access restrictions by IP address. You can implement at least two scenarios:

The user needs to be authenticated and have ip access rights
Users need to be authenticated or have IP access rights

1. Use the allow and deny instructions to allow or restrict access to the specified IP address, for example:

location /api {
 #... deny 192.168.1.2;
 allow 192.168.1.1/24;
 allow 127.0.0.1;
 deny all;
}

2. In networks other than 192.168.1.2, only 192.168.1.1/24 is granted access rights. NOTE: allow and deny directives are applied in the order they are defined.

Combine restrictions with the satisfy directive via ip and http authentication. If the directive is set to all, access is granted if the client meets both conditions. If the directive is set to any, access is granted if the client meets at least one condition, for example, configure:

location /api {
 #... satisfy all; 

 deny 192.168.1.2;
 allow 192.168.1.1/24;
 allow 127.0.0.1;
 deny all;

 auth_basic "Administrator's Area";
 auth_basic_user_file conf/htpasswd;
}

The above can be organized into a complete example:

http {
 server {
  listen 192.168.1.23:8080;
  root /usr/share/nginx/html;

  location /api {
   api;
   satisfy all;

   deny 192.168.1.2;
   allow 192.168.1.1/24;
   allow 127.0.0.1;
   deny all;

   auth_basic "Administrator's area";
   auth_basic_user_file /etc/apache2/.htpasswd; 
  }
 }
}

The final effect is as shown below:

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM.

You may also be interested in: