Nginx Basic Auth Security – Enhancing Security with Nginx Http Basic Auth

http-basic-authenticationnginx

So lets say I host something like netdata dash board on port 6000.

Then I nginx reverse proxy it to the subdomain netdata.domain.com

While basic auth is applied at the nginx.conf to allow site wide protection.

My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?

But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?

I don't know if my concern is valid.

Best Answer

My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?

Correct. It's sent entirely in cleartext, and anyone in the path may read it trivially.

But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?

If you configure CF to require TLS, then the connection between client and CF will be encrypted. Between CF and server it won't be.

It's 2021. Certificates are free, and trivially automatable on all platforms. Do not deploy authentication over HTTP in 2021. Configure it the proper way with TLS on your web server.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

NGINX basic auth only for POST

You should use limit_except:

limit_except GET HEAD {
    auth_basic 'Restricted';
    auth_basic_user_file /path/to/userfile;
}

It works since nginx 0.8.48, in older versions there was a bug where fastcgi_pass was not inherited inside the limit_except block.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

NGINX basic auth only for POST

Related Topic