Nginx access restriction settings: access is restricted through HTTP Basic Authentication and nginx Authentication

Nginx access restriction settings: access is restricted through HTTP Basic Authentication and nginx Authentication
1. Overview

You can use the username and password authorization mechanism to restrict access to certain parts of the entire website or website. The user name and password are obtained from a file that can be created and populated by a password file creation tool, such as a apache2-utils.

HTTP basic authentication can be used in combination with other access restriction methods, such as using IP addresses or geographic locations to restrict access.

2. Prerequisites

NGINX Plus or NGINX Open Source password file creation tool, such as apache2-utils

3. Create Password File 3.1 install apache2-utils

Make sure that the apache2-utils is installed.

3.2 Create a password file and the first user

Run the htpasswd tool with the-c mark. The input file path is used as the first parameter, and the user name is used as the second parameter:

$ sudo htpasswd -c /etc/apache2/.htpasswd user1

Press enter and enter the user's password twice.

3.3 create another set of User Password Pairs

In this case, the-c flag is not required:

$ sudo htpasswd /etc/apache2/.htpasswd user2

3.4 View File Content

$ cat /etc/apache2/.htpasswd

The file contains the user name and the encrypted password of each user:

user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0user2:$apr1$QdR8fNLT$vbCEEzDj7LyqCMyNpSoBh/user3:$apr1$Mr5A0e.U$0j39Hp5FfxRkneklXaMrr/

4. Configure Nginx for HTTP Basic Authentication

In the location to be protected, specify the auth_basic command and use the region name that requires password protection as the parameter. The region name will be displayed in the user name/Password dialog box for authentication:

location /status {                                           auth_basic “Administrator’s Area”;    ....}

Use the path of the. htpasswd file containing the username and password pair as the parameter of the auth_basic_user_file command:

location /status {                                           auth_basic           “Administrator’s Area”;    auth_basic_user_file /etc/apache2/.htpasswd; }

In addition, you can set basic HTTP authentication for the entire website, while some pages do not need to be authenticated. By setting the off parameter for the auth_basic command, you can cancel the inheritance from the upper-level configuration in the corresponding context (location, etc:

server {    ...    auth_basic           "Administrator’s Area";    auth_basic_user_file conf/htpasswd;    location /public/ {        auth_basic off;    }}

5. Integrate Basic Authentication with access restrictions through IP addresses

HTTP basic authentication can be effectively combined with IP address access restrictions. At least two scenarios can be implemented:

A user must use a valid IP address and be authenticated. A user must use a valid IP address or be authenticated.

You can use the allow and deny commands of the access module to allow or deny access from a specified IP Address:

location /status {    ...    deny 192.168.1.2;    allow 192.168.1.1/24;    allow 127.0.0.1;    deny all;}

Access from the network segment 192.168.1.1/24 and the address is not 192.168.1.2 is allowed. Note that the allow and deny commands are executed in the defined order.

The satisfy command can combine the IP address and HTTP authentication restrictions. If the parameter is set to all, the client must meet both conditions. If it is set to any, the client must meet at least one condition:

location /status {    ...    satisfy all;        deny  192.168.1.2;    allow 192.168.1.1/24;    allow 127.0.0.1;    deny  all;    auth_basic           "Administrator’s Area";    auth_basic_user_file conf/htpasswd;}

6. Complete example

This example shows how to combine HTTP Authentication and IP address to protect the/status region:

http {    server {        listen 192.168.1.23:8080;        root   /usr/share/nginx/html;        location /status {            status;            satisfy all;            deny  192.168.1.2;            allow 192.168.1.1/24;            allow 127.0.0.1;            deny  all;            auth_basic           “Administrator’s area;            auth_basic_user_file /etc/apache2/.htpasswd;         }        location = /status.html {        }    }}

If the address entered by the user is related to the/status page, the Enter Password dialog box is displayed:

If the entered username and password do not match any record in the password file, the system will get the authorization error 401.