How to configure NGINX reverse proxy for authentication?

VrishankGupta
November 4, 2022
249 views
0 votes
2 Answers

I am trying to use NGINX as an authenticated passthrough proxy (which intercepts a request, checks authentication, and redirects to the original destination (including HTTPS and HTTP URLs) ). However, when I try to achieve the same, I am getting the error as

2022/11/04 15:42:58 [info] 6905#0: *7 no user/password was provided for basic authentication, client: 127.0.0.1, server: localhost, request: "GET http://www.google.com/ HTTP/1.1", host: "www.google.com"

2022/11/04 15:42:58 [info] 6905#0: *7 kevent() reported that client 127.0.0.1 closed keepalive connection

I am using the following curl:

curl -x 127.0.0.1:80 -u username:password  "https://www.google.com"

Here is my nginx.conf file

 index    index.html index.htm index.php;
 ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;
 ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;
 default_type application/octet-stream;
 log_format   main   '$remote_addr - $remote_user [$time_local]  $status '
                    '"$request" $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

log_format custom1 '$remote_addr - $remote_user [$time_local] '
                                       '"$request" $status $body_bytes_sent '
                                       '"$http_referer" "$http_user_agent" '
                                       '"$http_x_forwarded_for" $request_id '
                                       '"$request_body"';
log_format custom '$request_body' ;
access_log   logs/host.access.log custom ;
sendfile     on;
spinous   on;

server_names_hash_bucket_size 128; # this seems to be required for some vhosts

server { # simple reverse-proxy
 listen       8082;
 proxy_connect;
 auth_basic           "Restricted Content";
 auth_basic_user_file /etc/apache2/.htpasswd;
 proxy_connect_allow            443 563;
 proxy_connect_connect_timeout  1220s;
 proxy_connect_read_timeout     1220s;
 proxy_connect_send_timeout     1220s;

 resolver 8.8.8.8;

 server_name  localhost;
 access_log   logs/host.access.log main;

 listen 443 SSL;
 listen [::]:443  SSL;

 ssl_session_timeout 5m;
 ssl_certificate /usr/local/etc/ssl/certs/self-signed.crt;
 ssl_certificate_key /usr/local/etc/ssl/private/self-signed.key;
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
 ssl_prefer_server_ciphers on;

 location / {
    proxy_pass $host:$server_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    auth_basic           "Administrator’s Area";
    auth_basic_user_file /etc/apache2/.htpasswd;
  }
 }
}

Answers

- PHagemann
- November 8, 2022 at 7:19 am
- 0 votes
0
The occurrence of

2022/11/04 15:42:58 [info] 6905#0: *7 no user/password was provided for basic authentication, client: 127.0.0.1, server: localhost, request: "GET http://www.google.com/ HTTP/1.1", host: "www.google.com"

should be fine as the first request is made without any auth:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

Nginx seems to follow this practice:
https://serverfault.com/questions/491604/nginx-auth-basic-errors-user-not-found-and-no-user-password-provided

Login or Signup to reply.

- AboozarGhaffari
- November 13, 2022 at 11:04 am
- 0 votes
0
The error is clear enough!

no user/password was provided for basic authentication …

So obviously your htpasswd file does not contain any user data.
Try to add a user to the file by using the following command:
```
htpasswd /etc/apache2/.htpasswd your_username
```
After that you can test your curl request again:

curl proxy port is not correct in your example. You should use 8082 port
```
curl -x 127.0.0.1:8082 -u your_username:your_password  "https://www.google.com" 
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.