Nginx: Using HTTP Basic Authentication and IP Whitelisting to Restrict Access

In this article, I will guide you through the process of implementing HTTP Basic Authentication and IP whitelisting with Nginx to restrict access to your website or specific areas of your website. This security measure can help protect sensitive information and ensure that only authorized users can access your resources.

Creating a Password File

Before we can implement HTTP Basic Authentication, we need to create a password file that contains the username-password pairs for the authorized users. Here's how you can do it:

1) First, make sure you have the necessary tools installed. On Debian or Ubuntu, you can use apache2-utils, while on RHEL, CentOS, or Oracle Linux, you can use httpd-tools.

2) To create the password file and add the first user, use the htpasswd utility with the -c flag to create a new file. Here's an example command:

$ sudo htpasswd -c /etc/apache2/.htpasswd user1

You will be prompted to enter and confirm the password for user1.

3) To add additional users to the password file, omit the -c flag as the file already exists. Here's an example command:

$ sudo htpasswd /etc/apache2/.htpasswd user2

4) You can verify the content of the password file by using the cat command:

$ cat /etc/apache2/.htpasswd
user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0
user2:$apr1$QdR8fNLT$vbCEEzDj7LyqCMyNpSoBh/
user3:$apr1$Mr5A0e.U$0j39Hp5FfxRkneklXaMrr/

Each line represents a username-password pair, with the password stored in a hashed format for security.

Configuring NGINX for HTTP Basic Authentication

Once you have created the password file, you can configure NGINX to implement HTTP Basic Authentication. Here's how you can do it:

1) Choose the location or area of your website that you want to protect with authentication. Inside the corresponding location block in your NGINX configuration file, add the auth_basic directive and provide a name for the password-protected area. This name will be displayed in the username/password dialog window when users try to access the area. Here's an example:

location /api {
   auth_basic "Administrator’s Area";
   #...
}

2) Next, add the auth_basic_user_file directive to specify the path to the password file that contains the user/password pairs. Here's an example:

location /api {
   auth_basic           "Administrator’s Area";
   auth_basic_user_file /etc/apache2/.htpasswd; 
}

This configuration ensures that only users with valid credentials from the password file can access the protected area.

Alternatively, if you want to restrict access to the entire website with basic authentication but make certain areas public, you can use the auth_basic off directive. Here's an example:

server {
    ...
    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/htpasswd;

    location /public/ {
        auth_basic off;
    }
}

With this configuration, the /public/ area will be accessible without authentication, while the rest of the website will require valid credentials.

Combining Basic Authentication with IP Whitelisting

To enhance security, you can combine HTTP Basic Authentication with IP whitelisting to restrict access based on IP addresses. There are two scenarios you can implement:

  1. Users must be both authenticated and have a valid IP address.
  2. Users must be either authenticated or have a valid IP address.

Here's how you can achieve these scenarios:

1) Use the allow and deny directives to allow or deny access from specific IP addresses. You can place these directives inside the corresponding location block. Here's an example:

location /api {
   #...
   deny  192.168.1.2;
   allow 192.168.1.1/24;
   allow 127.0.0.1;
   deny  all;
}

In this example, access will only be granted to the 192.168.1.1/24 network, excluding the 192.168.1.2 address. The allow and deny directives are processed in the order they are defined.

2) Combine IP restriction and HTTP authentication using the satisfy directive. If you set satisfy to all, access will only be granted if a client satisfies both conditions. If you set satisfy to any, access will be granted if a client satisfies at least one condition. Here's an example:

location /api {
   #...
   satisfy all;    

   deny  192.168.1.2;
   allow 192.168.1.1/24;
   allow 127.0.0.1;
   deny  all;

   auth_basic           "Administrator’s Area";
   auth_basic_user_file conf/htpasswd;
}

In this example, access will only be granted to clients with valid credentials and IP addresses within the specified range.

Complete Example

Here's a complete example that demonstrates how to protect a status area with simple authentication combined with IP whitelisting:

http {
    server {
        listen 192.168.1.23:8080;
        root   /usr/share/nginx/html;

        location /api {
            api;
            satisfy all;

            deny  192.168.1.2;
            allow 192.168.1.1/24;
            allow 127.0.0.1;
            deny  all;

            auth_basic           "Administrator’s Area";
            auth_basic_user_file /etc/apache2/.htpasswd; 
        }
    }
}

With this configuration, when accessing the status page, users will be prompted to log in. If the provided credentials do not match those in the password file, a 401 (Authorization Required) error will be displayed.

Implementing HTTP Basic Authentication and IP whitelisting can greatly enhance the security of your website or specific areas within it. By combining these measures, you can ensure that only authorized users with valid credentials and IP addresses can access your resources.

2023-06-27 21:17:51 | NOTE | 0 Comments
 

 

Leave A Comment

RELATED STORIES


MOST RECENTLY