LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Nginx Authentication (https://www.linuxquestions.org/questions/linux-security-4/nginx-authentication-4175653947/)

yash1990 05-15-2019 08:38 AM

Nginx Authentication
 
Hi All,

Recently installed ELK on my server. Now I needed to set up an authentication, to access the dashboard link. Upto some level I have succeeded, but not fully. Authentication works if I access the link with hostname or IP : www.test.com or 10.10.10.10.

But as soon as I access the same link with port 5601, authentication does not work on it. It just loads the dashboard without authenticating.
Example : 10.10.10.10:5601 or www.test.com:5601

Below is the content of nginx.conf file :

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

include /etc/nginx/conf.d/*.conf;
}

=======================

Below is the content of authentication file :

upstream app {
server 10.10.10.10:5601;
keepalive 64;
}

server {
listen 80;
server_name www.test.com;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;

location / {
proxy_pass http://app;
}
}

=========================

sevendogsbsd 05-15-2019 09:05 AM

I've never done authentication on nginx but it looks like you have it configured for port 80 only. Do you just need to add another authentication entry for port 5601? Also, not using HTTPS means the username and password are sent in the clear - if this is internal only or in a lab, that's probably fine but if going out over the Internet, I would implement HTTPS.

yash1990 05-15-2019 10:27 AM

I am going to access this application in private network, so SSL is not important. After having configured nginx, I am getting same contents for below links :
www.test.com:5601
www.test.com

I'm getting authentication pop-up for www.test.com, but not for www.test.com:5601

sevendogsbsd 05-15-2019 10:30 AM

Quote:

Originally Posted by yash1990 (Post 5995299)
I am going to access this application in private network, so SSL is not important. After having configured nginx, I am getting same contents for below links :
www.test.com:5601
www.test.com

I'm getting authentication pop-up for www.test.com, but not for www.test.com:5601

Understood, but what I was suggesting was something like this, but I am not sure this is how you do this in nginx as I have not configured authentication in it before:

Code:

server {
listen 5601;
server_name www.test.com;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;


yash1990 05-15-2019 10:56 AM

Not working. Below is the error that I get upon nginx service restart

May 15 11:53:13 test.com polkitd[5867]: Registered Authentication Agent for unix-process:11576:89549281 (system bus name :1.570 [/usr/bin/pkttyagent --notify-fd 5
May 15 11:53:13 test.com systemd[1]: Starting nginx - high performance web server...
-- Subject: Unit nginx.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit nginx.service has begun starting up.
May 15 11:53:13 test.com nginx[11582]: nginx: [emerg] bind() to 0.0.0.0:5601 failed (98: Address already in use)
May 15 11:53:14 test.com nginx[11582]: nginx: [emerg] bind() to 0.0.0.0:5601 failed (98: Address already in use)
May 15 11:53:14 test.com nginx[11582]: nginx: [emerg] bind() to 0.0.0.0:5601 failed (98: Address already in use)
May 15 11:53:15 test.com nginx[11582]: nginx: [emerg] bind() to 0.0.0.0:5601 failed (98: Address already in use)
May 15 11:53:15 test.com nginx[11582]: nginx: [emerg] bind() to 0.0.0.0:5601 failed (98: Address already in use)
May 15 11:53:16 test.com nginx[11582]: nginx: [emerg] still could not bind()
May 15 11:53:16 test.com systemd[1]: nginx.service: control process exited, code=exited status=1
May 15 11:53:16 test.com systemd[1]: Failed to start nginx - high performance web server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman.../systemd-devel
--
-- Unit nginx.service has failed.
--
-- The result is failed.
May 15 11:53:16 test.com systemd[1]: Unit nginx.service entered failed state.
May 15 11:53:16 test.com systemd[1]: nginx.service failed.
May 15 11:53:16 test.com polkitd[5867]: Unregistered Authentication Agent for unix-process:11576:89549281 (system bus name :1.570, object path /org/freedesktop/Po

sevendogsbsd 05-15-2019 11:00 AM

So where is the entry for port 5601 configured? If the dashboard is available on 5601, all I am saying is you need to configure that port for authentication.

yash1990 05-15-2019 12:29 PM

You can find entry of 5601 in config file:

upstream app {
server 10.10.10.10:5601;
keepalive 64;
}

server {
listen 80;
server_name www.test.com;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;

location / {
proxy_pass http://app;
}
}

sevendogsbsd 05-15-2019 12:42 PM

Quick search resulted in this, might be helpful: https://stackoverflow.com/questions/...tion-in-kibana

tyler2016 05-17-2019 06:14 AM

I'm taking a shot in the dark here since I use HAProxy for my front ending needs. What happens when you replace:

Code:

location / {
proxy_pass http://app;
}

with:

Code:

location / {
proxy_pass http://app;

auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.users;
}



All times are GMT -5. The time now is 07:46 PM.