Set Up Nginx Password Authentication on Debian 11 Easy Setup

This guide, brought to you by Orcacore, will walk you through the process of setting up Nginx Password Authentication on Debian 11. Password authentication is a fundamental security measure, crucial for protecting sensitive data and resources. It involves verifying a user’s identity by comparing their entered credentials (username and password) against stored, encrypted versions.

You’ve undoubtedly encountered password authentication systems across various platforms, from social media to online banking. These systems are designed to ensure that only authorized individuals can access restricted content. The core principle is that the person who initially created and set the password is the only one who knows it, thereby validating their identity.

To successfully configure Set Up Nginx Password Authentication on Debian 11, you’ll need to meet a few prerequisites.

Firstly, you must be logged into your Debian 11 server as a non-root user with sudo privileges. If you haven’t already done so, refer to our guide on Initial Server Setup with Debian 11 for detailed instructions.

Secondly, Nginx must be installed on your server. If it’s not already installed, follow our guide on How To Install Nginx on Debian 11.

Once these requirements are fulfilled, you can proceed with the following steps to implement password authentication on Debian 11.

1. Create a File for Password Authentication on Debian 11

The first step involves creating a file that will store the username and password combinations. There are two primary methods for achieving this, each utilizing different utilities.

Let’s explore both approaches, allowing you to choose the one that best suits your needs.

Create a Password File with OpenSSL Utilities

If you have OpenSSL installed on your server, you can leverage it to create a password file without requiring any additional packages.

This method involves creating a hidden file named .htpasswd within the /etc/nginx configuration directory to store the username and encrypted password combinations.

First, add a username to the file using the following command. In this example, we’ll use the username "sam," but you can choose any desired name:

sudo sh -c "echo -n 'sam:' >> /etc/nginx/.htpasswd"

Next, use the following command to add an encrypted password for your user:

sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"

Repeat these steps for any additional users you wish to add.

You can list the usernames and encrypted passwords stored within the file by executing the following command:

cat /etc/nginx/.htpasswd

**Output**
sam:$apr1$wI1/T0nB$jEKuTJHkTOOWkopnXqC1d1

Create a Password File with Apache Utilities

Many users find the Apache utility htpasswd easier to use than OpenSSL. To utilize this method, follow these steps:

First, update your local package index with the following command:

sudo apt update

Then, install the apache2-utils package on Debian 11 using the following command:

sudo apt install apache2-utils

This installation provides access to the htpasswd command. This command creates a password file that Nginx can use to authenticate users on Debian 11.

Create a hidden file for this purpose called .htpasswd within your /etc/nginx configuration directory.

Next, create your user with the following command. Here, we use "sam" as the username:

sudo htpasswd -c /etc/nginx/.htpasswd sam

You will be prompted to enter a password for the user.

New password:
Re-type new password:
Adding password for user sam

If you want to add more users, run the above command without the -c option:

sudo htpasswd /etc/nginx/.htpasswd another_user

List your username and the encrypted password for each record with the command below:

cat /etc/nginx/.htpasswd

**Output**
sam:$apr1$RN6i1en7$6oZpZbofVH4cdduRzwv5A0

2. Configure Password Authentication with Nginx on Debian 11

At this point, you have a file containing your users and passwords in a format that Nginx can read on Debian 11.

Now, you must configure Nginx to check this file before serving your protected content. To do this, you need to open a server block configuration file if you wish to add a restriction.

For this example, we’ll use the default server block file installed through Debian’s Nginx package:

sudo vi /etc/nginx/sites-enabled/default

This example implements a server-level restriction. The auth_basic directive activates authentication, displaying a real name to the user when prompting for credentials. You will use the auth_basic_user_file directive to point Nginx to the password file you created:

server {
    listen 80 default_server;

     . . .

    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Note: Depending on the block you place the restrictions on, you can control the granularity of which parts of your site require a password. This alternative example restricts only the document root with a location block, and you can even modify this listing to only target a specific directory within the web space:

server {
    listen 80 default_server;

     . . .

    location / {
    try_files $uri $uri/ =404;
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

When you are done, save and close the file.

Restart Nginx on Debian 11 to apply the changes:

sudo systemctl restart nginx

Access Restricted Content

To confirm that your content is protected, try to access your restricted content in a web browser:

http://your-server-ip

You should be presented with a username and password prompt:

[Image of password authentication with Nginx prompt]

If you enter the correct credentials, you will be allowed to access the content. Now, you have completed the Set Up Nginx Password Authentication on Debian 11.

Conclusion

At this point, you have learned to Set Up Nginx Password Authentication on Debian 11. However, passwords are also one of the most insecure forms of user authentication out there. It is recommended to use TLS encryption. You can check for Securing Nginx With Let’s Encrypt on Debian 11.

Hope you enjoy it. Please subscribe to us on Facebook and YouTube.

You may also like these articles:

Install and Use Docker Compose on Debian 11

Install and Configure an SVN Server on Debian 11

Alternative Solutions for Nginx Password Authentication on Debian 11

While the .htpasswd method is a common and straightforward approach for Set Up Nginx Password Authentication on Debian 11, there are alternative solutions that offer enhanced security and flexibility. Let’s explore two such methods: using LDAP and using a custom authentication module.

1. LDAP (Lightweight Directory Access Protocol) Authentication

LDAP provides a centralized directory service for managing user authentication. Instead of storing credentials locally in an .htpasswd file, Nginx can query an LDAP server to verify user credentials. This is particularly useful in environments with a large number of users or where user management is already handled by an LDAP directory.

Explanation:

LDAP authentication involves configuring Nginx to communicate with an LDAP server. When a user attempts to access a protected resource, Nginx sends the username and password to the LDAP server for verification. The LDAP server checks the credentials against its directory and returns a success or failure response to Nginx. Nginx then grants or denies access based on this response.

Configuration:

To use LDAP authentication, you’ll need the nginx-auth-ldap module. Installation instructions vary depending on your system.

Once the module is installed, you need to configure Nginx to use it. The following is a basic example configuration:

http {
    # ... other configurations ...

    auth_ldap_cache_enabled on;
    auth_ldap_cache_expiration 3600; # Cache for 1 hour

    server {
        # ... other configurations ...

        location /protected {
            auth_ldap_bind_dn "cn=admin,dc=example,dc=com";
            auth_ldap_bind_password "admin_password";
            auth_ldap_url "ldap://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=*)";
            auth_ldap_realm "Restricted Area";

            require valid-user;
            # ... other configurations ...
        }
    }
}

Explanation of Configuration:

• auth_ldap_bind_dn: The distinguished name (DN) of the user Nginx will use to bind to the LDAP server. This user needs read access to the directory.
• auth_ldap_bind_password: The password for the bind DN.
• auth_ldap_url: The URL of the LDAP server, including the base DN, the attribute used for username (in this case, uid), and the search filter.
• auth_ldap_realm: The realm displayed in the authentication prompt.
• require valid-user: Requires any user that authenticates successfully against the LDAP server to be granted access.

Advantages of LDAP Authentication:

• Centralized User Management: Simplifies user management by leveraging a central directory service.
• Scalability: Easily scales to accommodate a large number of users.
• Security: Benefits from the security features of the LDAP server.

2. Custom Authentication Module

For more complex authentication requirements, you can develop a custom authentication module for Nginx. This allows you to implement any authentication logic you need, such as integrating with a database or using a custom authentication protocol.

Explanation:

A custom authentication module is a C module that extends Nginx’s functionality. The module intercepts requests for protected resources and performs custom authentication logic. It then returns a status code to Nginx, indicating whether the user is authenticated or not.

Implementation:

Developing a custom authentication module requires C programming skills and a good understanding of the Nginx API.

Example (Conceptual):

While a full code example is beyond the scope of this article, here’s a conceptual outline:

1. Create a C module: Implement the necessary Nginx module hooks to intercept requests.
2. Implement Authentication Logic: Write C code to connect to your authentication backend (e.g., a database), verify credentials, and retrieve user information.
3. Return Status Code: Return NGX_HTTP_OK if authentication is successful, NGX_HTTP_UNAUTHORIZED if authentication fails, or other appropriate status codes.
4. Configure Nginx: Load the module in Nginx’s configuration and configure the protected locations to use the module for authentication.

Advantages of Custom Authentication Modules:

• Flexibility: Allows you to implement any authentication logic you need.
• Integration: Easily integrates with existing authentication systems.
• Control: Provides complete control over the authentication process.

While these alternative solutions require more effort to set up compared to the .htpasswd method, they offer enhanced security, scalability, and flexibility for Set Up Nginx Password Authentication on Debian 11, especially in complex environments.