{"id":300631,"date":"2021-07-16T12:00:00","date_gmt":"2021-07-16T09:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/"},"modified":"2021-07-16T12:00:00","modified_gmt":"2021-07-16T09:00:00","slug":"how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/","title":{"rendered":"#How to Set Up Basic HTTP Authentication in NGINX \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a38314c26dd8\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a38314c26dd8\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/#How_Does_HTTP_Authentication_Work\" >How Does HTTP Authentication Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/#Generate_a_Password_File\" >Generate a Password File<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/#Turn_on_Basic_HTTP_Authentication\" >Turn on Basic HTTP Authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-set-up-basic-http-authentication-in-nginx-cloudsavvy-it\/#Using_Proxy_Authentication\" >Using Proxy Authentication<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Set Up Basic HTTP Authentication in NGINX \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage imgchk9 alignnone wp-image-1359 size-full\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8-1.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8-1.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8-1.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Nginx logo.\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Basic username and password authentication is an easy and simple way to secure administrative panels and backend services. Nginx can be configured to protect certain areas of your website, or even used as a reverse proxy to secure other services.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Does_HTTP_Authentication_Work\"><\/span>How Does HTTP Authentication Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In basic HTTP authentication, certain routes on the server are locked and require a username and password to access them. For example, the admin panels of most home routers are secured this way; when you attempt to access them, the browser opens a dialog asking for credentials.<\/p>\n<p>When a user attempts to access a protected resource, the server sends the user a <code>WWW-Authenticate<\/code>\u00a0header along with a <code>401 Unauthorized<\/code> response. The client sends back the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ropriate username and password, stored in the\u00a0<code>Authorization<\/code>\u00a0header, and if it matches a keyfile, they are allowed to connect.<\/p>\n<p>Because basic HTTP authentication requires sending passwords down the wire, you need to have HTTPS\/TLS set up on your server, or else anyone in the middle could sniff out the plaintext password. HTTPS will encrypt the connection, making it safe to transmit. You can set up a free certificate with LetsEncrypt, or if you\u2019re looking to secure a private server, create and sign one yourself.<\/p>\n<p>Basic username\/password authentication is just one of many authentication schemes; another common scheme is bearer tokens, used for OAuth 2.0 flows. You can use this scheme with Nginx using the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/nginx.org\/en\/docs\/http\/ngx_http_auth_jwt_module.html\">JSON Web Tokens<\/a>\u00a0module, but the full setup is much more complex than username\/password auth.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Generate_a_Password_File\"><\/span>Generate a Password File<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can use the <code>htpasswd<\/code>\u00a0to generate password files. This is most likely already installed on your system, but if it isn\u2019t you can install it from the <code>apache2-utils<\/code>\u00a0package. (Nginx uses the same password format as Apache):<\/p>\n<pre>sudo apt-get install apache2-utils<\/pre>\n<p>Generate a new password file by running <code>htpasswd<\/code>\u00a0with the <code>-c<\/code>\u00a0flag, in this case, for user \u201cadmin\u201d:<\/p>\n<pre>sudo htpasswd -c \/etc\/nginx\/.htpasswd admin<\/pre>\n<p>You\u2019ll be asked to enter a password, which will be hashed and stored in <code>\/etc\/nginx\/.htpasswd<\/code>. If you want to add multiple users, leave out the <code>-c<\/code>\u00a0flag to add new entries.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Turn_on_Basic_HTTP_Authentication\"><\/span>Turn on Basic HTTP Authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can protect any route in nginx by using the <code>auth_basic<\/code>\u00a0directive inside a location. For example, to password protect <code>\/admin<\/code>, you would place this location block inside the server block in your main nginx config file (usually located at <code>\/etc\/nginx\/nginx.conf<\/code>):<\/p>\n<pre>location \/admin {&#13;\n  try_files $uri $uri\/ =404;&#13;\n  auth_basic \"Restricted Content\";&#13;\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;&#13;\n}<\/pre>\n<p>The <code>auth_basic_user_file<\/code>\u00a0directive must point towards the password file you created in the first step. This doesn\u2019t have to be named anything special, so you can create different password files for different routes.<\/p>\n<p>Nginx should handle the rest for you. Restart to apply the changes:<\/p>\n<pre>sudo service nginx restart<\/pre>\n<p>And, check the protected route in your browser. You should be asked for a password, and denied access if you can\u2019t provide it.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Using_Proxy_Authentication\"><\/span>Using Proxy Authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A common use case of basic auth is securing an external resource with an nginx reverse proxy. This works perfectly with <code>auth_basic<\/code>, and is as simple as using the two together:<\/p>\n<pre>location \/ {&#13;\n  #\/\/turn on auth for this location&#13;\n  auth_basic \"Restricted Content\";&#13;\n  auth_basic_user_file \/etc\/nginx\/.htpasswd;&#13;\n&#13;\n  #\/\/normal proxy configuration&#13;\n  proxy_http_version 1.1;&#13;\n  proxy_pass_request_headers on;&#13;\n  proxy_set_header Host $host;&#13;\n  proxy_set_header X-Real-IP $remote_addr;&#13;\n  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;&#13;\n  proxy_set_header Accept-Encoding \"\";&#13;\n&#13;\n  proxy_pass https:\/\/&lt;ip-address&gt;;&#13;\n  proxy_redirect default;&#13;\n}<\/pre>\n<p>This works by denying any entry to the proxy before a user authenticates. Once they\u2019re authenticated, nginx works as normal.<\/p>\n<p>However, if you want to perform the auth on the server behind the reverse proxy, the configuration is more complicated. You\u2019ll instead want nginx to proxy your input to the web server, which could, for example, query a database or perform more complex checking than a simple password file.<\/p>\n<p>You\u2019ll need to use the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/nginx.com\/resources\/wiki\/modules\/headers_more\/\">headers-more<\/a> module to be able to modify the headers more directly:<\/p>\n<pre>location \/ {&#13;\n  proxy_http_version 1.1;&#13;\n  proxy_pass_request_headers on;&#13;\n  proxy_set_header Host $host;&#13;\n  proxy_set_header X-Real-IP $remote_addr;&#13;\n  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;&#13;\n  proxy_set_header Accept-Encoding \"\";&#13;\n&#13;\n  proxy_pass https:\/\/&lt;ip-address&gt;;&#13;\n  proxy_redirect default;&#13;\n&#13;\n  more_set_input_headers 'Authorization: $http_authorization';&#13;\n  more_set_headers -s 401 'WWW-Authenticate: Basic realm=\"your_server.com\"';&#13;\n}<\/pre>\n<p>The proxy configuration is the same, except it\u2019s missing <code>auth_basic<\/code>\u00a0because we don\u2019t want to do the authentication with nginx. The <code>more_set_input_headers<\/code>\u00a0directive is doing the magic here, and setting the header for when it communicates with the web server to include the <code>$http_authorization<\/code>\u00a0variable it got from the client. This way the username and password are passed through nginx to the backend.<\/p>\n<p>The next line is more complicated; the regular way of setting headers will overwrite the <code>realm<\/code>\u00a0variable when it\u2019s proxied through nginx, which is not ideal. Using <code>more_set_headers<\/code>\u00a0will preserve this and show the client correct information.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/1355\/how-to-setup-basic-http-authentication-on-nginx\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Set Up Basic HTTP Authentication in NGINX \u2013 CloudSavvy IT&#8221; Basic username and password authentication is an easy and simple way to secure administrative panels and backend services. Nginx can be configured to protect certain areas of your website, or even used as a reverse proxy to secure other services. How Does HTTP&#8230;<\/p>\n","protected":false},"author":1,"featured_media":300632,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/08\/41534ce8-1.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-300631","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/300631","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=300631"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/300631\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/300632"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=300631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=300631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=300631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}