NGINX multiple level auth_basic authentication

Looking for a way to set a global auth_basic authentication. But when somebody knows one for a specific site then they should be able to connect.

Is this possible at all?

Example :

nginx.conf

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

staging.com

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.staging.com;

local.com

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.local.com;

skauk

6 years ago

Level 8

@cruorzy The directive for HTTP basic authentication auth_basic can be used in different context including http, server and location. This means that you could set up different authentication for your whole server, virtual hosts and specific locations (or turn it off). For example:

http {
    auth_basic "Global";
    auth_basic_user_file conf/htpasswd/global;

    server {
        server_name example1.com;
        auth_basic "Example 1";
        auth_basic_user_file conf/htpasswd/example1;

        location /api {
            auth_basic "API";
            auth_basic_user_file conf/htpasswd/api;
        }
    }

    server {
        server_name example2.com;
        auth_basic "Example 2";
        auth_basic_user_file conf/htpasswd/example2;

        location /guest {
            auth_basic off;
        }
    }
}

Check out this guide for more info.

Cruorzy

6 years ago

Level 14

@skauk Thanks!

But is there a way that auth_basic Global credentials can access the Example 2 server without knowing those specific credentials?

skauk

6 years ago

Level 8

@cruorzy Please describe a scenario where this would be needed.

Cruorzy

6 years ago

Level 14

@skauk

Well the scenario is that its handy for me, but let me explain what the goal is.

I am apart of a team, Team A. Team A (Me and the Leader) should be able to access both development/staging environment protected by auth_basic

Team B should only be able to access Staging

But Team A does not know Team B their credentials.

And then we have like a GLOBAL auth credentials for me so i can make use of any site without having to look up all credentials.

If its not possible i'll probably make a package for laravel that gets activated when its in local or staging environment.

skauk

6 years ago

Level 8

@cruorzy Well, there's a reason it is called basic authentication. If your use case is more elaborate, you have to look into more complex authorization mechanisms.

[email protected]

6 years ago

Level 17

you could define two virtual servers for the same location though:

http {
    

    server {
        server_name dev.example.com;
        auth_basic "Example 1";
        auth_basic_user_file conf/htpasswd/example1;
	root /dev;

    	location / {
    	}

    }

    server {
        server_name staging_but_with_dev_cred.example.com;
        auth_basic "Example 1";
        auth_basic_user_file conf/htpasswd/example1;
	root /staging;

    	location / {
    	}
    }

    server {
        server_name staging.example.com;
        auth_basic "Example 2";
        auth_basic_user_file conf/htpasswd/example2;
	root /staging;

    	location / {
    	}
    }
}

Please or to participate in this conversation.