Add user and password to NGINX proxy

Go to:

http://aspirine.org/htpasswd_en.html

In the left box (#1) enter a username and password that you want to use like:

willb179   MonkeyBiscuits123

In the right box (#2) click Generate htpasswd content

It will generate a line like this:

willb179:$apr1$l9.OI9au$uZaO8fsnfhrNHI7V.Tr52.

Send this encrypted line via Slack or email (the “willb179:$apr1$l9.OI9au$uZaO8fsnfhrNHI7V.Tr52.”)

Remember the password you used!

generate passwords automagically, so users can submit encrypted passwords themselves

vi /etc/nginx/htpasswd

service nginx restart

**** MAKE SURE THE USER ISN’T ALREADY IN THERE!! If you have duplicates, you will get a constant string of 401 Unauthorized because it picks the FIRST one in the list and you’ll pull your hair out.

NGINX Config for password protected reverse proxy:

proxy.conf:


proxy_redirect off;


proxy_set_header Host $host;


proxy_set_header X-Real-IP $remote_addr;


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


client_max_body_size 50m;


client_body_buffer_size 128k;


proxy_connect_timeout 90;


proxy_send_timeout 90;


proxy_read_timeout 90;


proxy_buffers 32 4k;

nxinx.conf.erb


# For more information on configuration, see:


#   * Official English Documentation:
http://nginx.org/en/docs/



user nginx;


worker_processes auto;


error_log /var/log/nginx/error.log;


pid /run/nginx.pid;



# Load dynamic modules. See /usr/share/nginx/README.dynamic.


include /usr/share/nginx/modules/*.conf;



events {

    worker_connections 1024;


}



http {

    log_format  main  ‘$remote_addr – $remote_user [$time_local] “$request” ‘

                      ‘$status $body_bytes_sent “$http_referer” ‘

                      ‘”$http_user_agent” “$http_x_forwarded_for”‘;


    access_log  /var/log/nginx/access.log  main;


    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   65;

    types_hash_max_size 2048;


    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;


    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;


    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

        root         /usr/share/nginx/html;


        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;



    location / {


        auth_basic “Restricted”; #For Basic Auth


        auth_basic_user_file /etc/nginx/htpasswd; #For Basic Auth


        include conf.d/proxy.conf;


        proxy_pass http://127.0.0.1:8080;


    }

    }


}

Local:

openssl passwd -apr1

Enter password you want twice when prompted, it will generate an apr1 encrypted password

Add:

username:$apr1encryptedpassword

Chef:

nginx.rb



include_recipe ‘yum-epel::default’


package ‘nginx’



[‘htpasswd’].each do |f|

  cookbook_file “/etc/nginx/#{f}” do

    source f

    owner ‘nginx’

    group ‘nginx’

    mode ‘0644’

  end


end



cookbook_file ‘/etc/nginx/conf.d/proxy.conf’ do

  source ‘proxy.conf’

  owner ‘nginx’

  group ‘nginx’

  mode ‘0644’


end



# Use nginx.conf template


template ‘nginx.conf’ do

  path ‘/etc/nginx/nginx.conf’

  source ‘nginx.conf.erb’

  mode ‘0644’

  owner ‘nginx’

  group ‘nginx’


end



service ‘nginx’ do

  action [:enable, :start]


end



require ‘mixlib/shellout’


selinuxstatus = Mixlib::ShellOut.new(‘getenforce’)


selinuxstatus.run_command



puts ‘SELinux Status is: ‘ + selinuxstatus.stdout


selinuxstate = selinuxstatus.stdout


puts ‘error messages’ + selinuxstatus.stderr


selinuxstatus.error!



# SELinux possible states are:


# Enforcing


# Disabled


# Permissive


# We only need to do this when Enforcing or Permissive


# When disabled or not installed we don’t need to do anything else



if selinuxstate.to_s == ‘Enforcing’

  execute ‘Allow nginx to proxy to connect to nifi’ do

    command ‘setsebool -P httpd_can_network_connect 1’

    action :run

  end


end



if selinuxstate.to_s == ‘Permissive’

  execute ‘Allow nginx to proxy to connect to nifi’ do

    command ‘setsebool -P httpd_can_network_connect 1’

    action :run

  end


end

htpasswd:


cloudse:$apr1$5CtzHM1B$mC51/7dwYEFgwWs91/cjz/


brad:$apr1$/1R/RT5j$Lf5/RqKRojHct0p20.zLu.

proxy.conf:


proxy_redirect off;


proxy_set_header Host $host;


proxy_set_header X-Real-IP $remote_addr;


proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


client_max_body_size 50m;


client_body_buffer_size 128k;


proxy_connect_timeout 90;


proxy_send_timeout 90;


proxy_read_timeout 90;


proxy_buffers 32 4k;

nxinx.conf.erb


# For more information on configuration, see:


#   * Official English Documentation:
http://nginx.org/en/docs/


#   * Official Russian Documentation:
http://nginx.org/ru/docs/



user nginx;


worker_processes auto;


error_log /var/log/nginx/error.log;


pid /run/nginx.pid;



# Load dynamic modules. See /usr/share/nginx/README.dynamic.


include /usr/share/nginx/modules/*.conf;



events {

    worker_connections 1024;


}



http {

    log_format  main  ‘$remote_addr – $remote_user [$time_local] “$request” ‘

                      ‘$status $body_bytes_sent “$http_referer” ‘

                      ‘”$http_user_agent” “$http_x_forwarded_for”‘;


    access_log  /var/log/nginx/access.log  main;


    sendfile            on;

    tcp_nopush          on;

    tcp_nodelay         on;

    keepalive_timeout   65;

    types_hash_max_size 2048;


    include             /etc/nginx/mime.types;

    default_type        application/octet-stream;


    # Load modular configuration files from the /etc/nginx/conf.d directory.

    # See http://nginx.org/en/docs/ngx_core_module.html#include

    # for more information.

    include /etc/nginx/conf.d/*.conf;


    server {

        listen       80 default_server;

        listen       [::]:80 default_server;

        server_name  _;

        root         /usr/share/nginx/html;


        # Load configuration files for the default server block.

        include /etc/nginx/default.d/*.conf;



    location / {


        auth_basic “Restricted”; #For Basic Auth


        auth_basic_user_file /etc/nginx/htpasswd; #For Basic Auth


        include conf.d/proxy.conf;


        proxy_pass http://127.0.0.1:8080;


    }

    }


}




Leave a Reply