Mobile app version of vmapp.org
Login or Join
Lee4591628

: More Secure NGINX Authentication than auth_basic I've been trying to come up with the most secure method of authentication to my reverse proxy in NGINX. I've been using ngx_http_auth_basic_module

@Lee4591628

Posted in: #Authentication #Nginx

I've been trying to come up with the most secure method of authentication to my reverse proxy in NGINX. I've been using ngx_http_auth_basic_module so far without any issues, but there are apparently some glaring security implications with this setup. Most of these security concerns are not too big of an issue because my site is strictly operating with SSL. I'd still like to secure it as much as possible.

Are there any alternative, superior authentication mechanisms for NGINX?

I'm open to anything; this is not a public service.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Lee4591628

2 Comments

Sorted by latest first Latest Oldest Best

 

@Miguel251

Although the question is 2 years old, I would like to keep on answering to it.

The page linked by the accepted answer (https://www.nginx.com/resources/wiki/modules/auth_digest/) is 11 years old and states itself that "... (it) is in need of broader testing before it can be considered secure enough for use in production."

A GitHub page (https://github.com/atomx/nginx-http-auth-digest) is also linked and more recent advice (April 2017) of the authors may found on it: "The module is currently functional but has only been tested and reviewed by its author. And given that this is security code, one set of eyes is almost certainly insufficient to guarantee that it's 100% correct."

So my conclusion is that the accepted answer gives a very interesting module which is unfortunately not advisable for securing sensitive data.

10% popularity Vote Up Vote Down


 

@BetL925

NGINX has a digest authentication module: www.nginx.com/resources/wiki/modules/auth_digest/
Unlike basic authentication, digest authentication does not send user names and passwords in plain text over the internet.

If your site is SSL only, then basic authentication is probably fine. the SSL encrypts the entire session including the user names and passwords.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme