nginx
Table of Contents
1. Basic authentication
The auth_ directives can be added to different contexts, e.g. to the server context
server { auth_basic "NOT ALLOWED"; auth_basic_user_file /etc/nginx/.htpasswd; ... }
Format of auth_basic_user_file is 1 user per line (USERNAME:HASHED_PASSWORD):
alan:$apr1$2c4myb0h$UTSfR845eEanPaMXoufcX.
The password need to be hashed with htpasswd(1) or openssl-passwd(1ssl)
# the -c flag will create or truncate the file htpasswd -c /etc/nginx/.htpasswd alan # OR .. # don't leave the password in the shell history echo "alan:$(openssl passwd -apr1 '<PASSWORD>')" | sudo tee /etc/nginx/.htpasswd
2. Examples
2.1. Drop-in configuration
# /etc/nginx/conf.d/00-framboise.conf - nginx(8) # https://developer.mozilla.org/en-US/observatory/ # https://nginx.org/en/docs/http/ngx_http_headers_module.html # https://owasp.org/www-project-secure-headers/index.html # https://nginx.org/en/docs/dirindex.html # https://www.ssllabs.com/ssltest/ add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'self' https://two.example.com; frame-src 'self' https://www.youtube-nocookie.com; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' https:; font-src 'self'; connect-src 'self'; form-action 'self'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header X-Content-Type-Options "nosniff" always; # more_clear_headers Server; # more_clear_headers X-Powered-By; proxy_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
2.2. Reverse proxy
# /etc/nginx/sites-available/one.example.com server { server_name one.example.com; client_max_body_size 0; location / { proxy_pass http://localhost:5280; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; tcp_nodelay on; } include /etc/nginx/conf.d/00-framboise.conf; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/one.example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/one.example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = one.example.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name one.example.com; return 404; # managed by Certbot }
2.3. Website with basic authentication
See Basic authentication on how to setup auth_basic_user_file
# /etc/nginx/sites-available/two.example.com server { server_name two.example.com; root /srv/two.example.com; index index.html; auth_basic "NOT ALLOWED"; auth_basic_user_file /etc/nginx/.htpasswd; include /etc/nginx/conf.d/00-framboise.conf; listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/two.example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/two.example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = two.example.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name two.example.com; return 404; # managed by Certbot }