mirror of https://github.com/opnsense/docs
www/nginx: add authentication via TLS/Basic (#40)
parent
86292bb405
commit
2011d4a9a4
Binary file not shown.
After Width: | Height: | Size: 6.2 KiB |
Binary file not shown.
After Width: | Height: | Size: 8.4 KiB |
Binary file not shown.
After Width: | Height: | Size: 13 KiB |
Binary file not shown.
After Width: | Height: | Size: 14 KiB |
@ -0,0 +1,87 @@
|
|||||||
|
===========================================
|
||||||
|
nginx: Basic Authentication & Authorization
|
||||||
|
===========================================
|
||||||
|
|
||||||
|
.. Warning::
|
||||||
|
|
||||||
|
Passwords in password files cannot be stored securely.
|
||||||
|
Your passwords are stored in plain text in the configuration and as md5 in the
|
||||||
|
nginx password files. Secure password hashes like bcrypt_, scrypt_ or
|
||||||
|
Argon_ 2 are currently not supported by nginx.
|
||||||
|
|
||||||
|
Please also note that basic authentication transfers the credentials in plain text
|
||||||
|
to the server. It is recommended that you only use it via HTTPS because otherwise
|
||||||
|
every attacker with a network sniffer such as Wireshark_ (and mabe some additional
|
||||||
|
man in the middle tools like ettercap_ or fake_router6_) will be able to intercept
|
||||||
|
your connection to the server and read your password.
|
||||||
|
|
||||||
|
.. _Argon: https://github.com/P-H-C/phc-winner-argon2
|
||||||
|
.. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt
|
||||||
|
.. _scrypt: https://en.wikipedia.org/wiki/Scrypt
|
||||||
|
.. _Wireshark: https://www.wireshark.org/
|
||||||
|
.. _ettercap: https://www.ettercap-project.org/
|
||||||
|
.. _fake_router6: https://github.com/vanhauser-thc/thc-ipv6
|
||||||
|
|
||||||
|
|
||||||
|
Background Information
|
||||||
|
======================
|
||||||
|
|
||||||
|
Basic authentication encodes the username and the password in Base64 in a HTTP header.
|
||||||
|
Because it is really simple to implement, almost every HTTP client supports it.
|
||||||
|
For this reason, people use it to protect REST interfaces and so on.
|
||||||
|
Also authentication for the OPNsense API supports this kind of authentication.
|
||||||
|
|
||||||
|
Configuration
|
||||||
|
=============
|
||||||
|
|
||||||
|
Create Users
|
||||||
|
------------
|
||||||
|
|
||||||
|
Navigate to the "Credential" tab.
|
||||||
|
|
||||||
|
.. image:: images/nginx_user.png
|
||||||
|
|
||||||
|
Enter a username and a password and press ok
|
||||||
|
|
||||||
|
Create An User List
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
Navigate to the tab "User List".
|
||||||
|
|
||||||
|
.. image:: images/nginx_users.png
|
||||||
|
|
||||||
|
Select all users, that should have access to a specific resource and give this group a name.
|
||||||
|
|
||||||
|
|
||||||
|
Assign it to a Location
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
In the last step, the user list must be added to the location.
|
||||||
|
|
||||||
|
.. image:: images/nginx_auth_location.png
|
||||||
|
|
||||||
|
As soon as you restart the server,
|
||||||
|
you will need to log in to access the contents of this directory.
|
||||||
|
To do so, you can enter any string in the basic authentication field,
|
||||||
|
which will be sent as an realm. The user list is the list previously
|
||||||
|
created.
|
||||||
|
|
||||||
|
Reload the server.
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
You can use curl to check if it works. In a browser like Firefox, a dialog asking for credentials should open.
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
curl -v -u user:password "http://example.com/restricted/image.png"
|
||||||
|
|
||||||
|
Advanced Authentication
|
||||||
|
=======================
|
||||||
|
|
||||||
|
The entry advanced authentication is used to call an external authentication
|
||||||
|
provider. In the case of OPNsense, this is currently a special script,
|
||||||
|
which authenticates agains the local database. If you want to use it,
|
||||||
|
do not enter a realm nor select a user list.
|
||||||
|
Please note that this feature may change in the future.
|
@ -0,0 +1,56 @@
|
|||||||
|
=========================================
|
||||||
|
nginx: TLS Authentication & Authorization
|
||||||
|
=========================================
|
||||||
|
|
||||||
|
.. Warning::
|
||||||
|
|
||||||
|
Even if this is probably the most secure way to authenticate,
|
||||||
|
a lot of clients do not support it or I may be hard for users
|
||||||
|
to configure it.
|
||||||
|
|
||||||
|
This authentication mechanism is recommended for machine to
|
||||||
|
machine communication and experienced users.
|
||||||
|
|
||||||
|
|
||||||
|
Background Information
|
||||||
|
======================
|
||||||
|
|
||||||
|
TLS authentication happens when the HTTPS connection is set up and for
|
||||||
|
this reason you can not configure it per directory (this information has
|
||||||
|
not been received yet). If you want to use this authentication type in
|
||||||
|
a custom application, the nginx plugin configures nginx to send you
|
||||||
|
the required information like the CN).
|
||||||
|
|
||||||
|
Configuration
|
||||||
|
=============
|
||||||
|
|
||||||
|
First of all, you need a CA, a client and a server certificate.
|
||||||
|
|
||||||
|
Please create it like described in :doc:`sslvpn_client`. If you want,
|
||||||
|
that your VPN users can log into your application using the same certificate,
|
||||||
|
you may use the same CA.
|
||||||
|
|
||||||
|
.. image:: images/nginx_auth_tls.png
|
||||||
|
|
||||||
|
Next, choose the CA, the certificate and choose *on* as for client validation.
|
||||||
|
This will reject any connection by a client, who has no valid certificate.
|
||||||
|
|
||||||
|
Testing
|
||||||
|
=======
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
curl https://192.168.1.1:444/file.txt --cacert ../MyOPNsenseCA.crt
|
||||||
|
<html>
|
||||||
|
<head><title>400 No required SSL certificate was sent</title></head>
|
||||||
|
<body bgcolor="white">
|
||||||
|
<center><h1>400 Bad Request</h1></center>
|
||||||
|
<center>No required SSL certificate was sent</center>
|
||||||
|
<hr><center>nginx</center>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
curl https://192.168.1.1:444/file.txt --cert ../nginx_client_test_cert.crt --key ../nginx_client_test_cert.key --cacert ../MyOPNsenseCA.crt
|
||||||
|
Hello World
|
Loading…
Reference in New Issue