Home / server / Questions / 1169659
Accepted
suchislife
Asked: 2025-01-01 02:12:37 +0800 CST

Ubuntu NGINX 1.24.0 Basic Auth Module no longer included. How to enable?

  • 772

I am unable to find this information online regarding from what version nginx seized to include the http_auth_basic_module as a configure option. Also, how do I enable it? Or where can I download modules from?

Server Config:

nginx -V

nginx version: nginx/1.24.0 (Ubuntu)
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
./configure \
--with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/nginx-DlMnQR/nginx-1.24.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/nginx-DlMnQR/nginx-1.24.0=/usr/src/nginx-1.24.0-2ubuntu7.1 -fPIC -Wdate-time -D_FORTIFY_SOURCE=3' \
--with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -fPIC' \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=stderr \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-compat \
--with-debug \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_slice_module \
--with-threads \
--with-http_addition_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_sub_module \
--with-mail_ssl_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_realip_module \
--with-http_geoip_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_perl_module=dynamic \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-stream=dynamic \
--with-stream_geoip_module=dynamic

Using grep to search:

nginx -V 2>&1 | grep http_auth_basic_module

Result:

Not found

GitHub - /src/http/modules/ngx_http_auth_basic_module.c

NGINX config test

# info.nginx
location = "/info.nginx" {

    auth_basic           "Administrator's Area";
    auth_basic_user_file /etc/nginx/.htpasswd;

    access_log    off;
    default_type  "application/json; charset=UTF-8";
    return        200 '{"nginx_version":"$nginx_version","time":{"time_iso8601":"$time_iso8601","time_local":"$time_local","msec":"$msec"},"remote":{"remote_addr":"$remote_addr","remote_port":"$remote_port"},"host":{"host":"$host","hostname":"$hostname"},"server":{"server_addr":"$server_addr","server_name":"$server_name","server_port":"$server_port","server_protocol":"$server_protocol"},"request":{"request_time":"$request_time","request_method":"$request_method","request_uri":"$request_uri","request_filename":"$request_filename","uri":"$uri","query_string":"$query_string","realpath_root":"$realpath_root"},"document":{"document_root":"$document_root","document_uri":"$document_uri"}}';
}
nginx

2 Answers

  1. Best Answer

    As previously mentioned, according to the request processing phases description from nginx development guide, the return directive is executed during the NGX_HTTP_REWRITE_PHASE, whereas the auth_... directives take effect during the later NGX_HTTP_ACCESS_PHASE. As an alternative, you can use the try_files directive to jump to another location during the even later NGX_HTTP_PRECONTENT_PHASE (see this answer for details):

    # info.nginx
location = /info.nginx {
    auth_basic           "Administrator's Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
    try_files "" @info_nginx;
}
location @info_nginx {
    access_log    off;
    default_type  "application/json; charset=UTF-8";
    return        200 '{"nginx_version":"$nginx_version","time":{"time_iso8601":"$time_iso8601","time_local":"$time_local","msec":"$msec"},"remote":{"remote_addr":"$remote_addr","remote_port":"$remote_port"},"host":{"host":"$host","hostname":"$hostname"},"server":{"server_addr":"$server_addr","server_name":"$server_name","server_port":"$server_port","server_protocol":"$server_protocol"},"request":{"request_time":"$request_time","request_method":"$request_method","request_uri":"$request_uri","request_filename":"$request_filename","uri":"$uri","query_string":"$query_string","realpath_root":"$realpath_root"},"document":{"document_root":"$document_root","document_uri":"$document_uri"}}';
}

    In addition to the answer, I can say that if nginx were actually compiled without the basic auth module, its configuration would fail validation at startup, and nginx would return an error like nginx: [emerg] unknown directive "auth_basic" in ...

    • 1

  2. Alternative - Using a map to validate Basic Auth Credentials

    Logic:

    1. Any HTTP header that's received becomes a variable with: $http_<header_name>.
    2. So any Authorization header received from the client becomes $http_authorization.
    3. Armed with this knowledge we create a map inside the http{...} context.
    4. We then map the Authorization header to a variable called $auth_status.
    5. If the exact Authorization header is not present, the map evaluates to "unauthorized".
    http {
    map $http_authorization $auth_status {

        # Basic base64(admin:secret)
        "Basic YWRtaW46c2VjcmV0" "authorized";

        # Basic base64(user1:secret)
        "Basic dXNlcjE6c2VjcmV0" "authorized";

        # Basic base64(user2:secret)
        "Basic dXNlcjI6c2VjcmV0" "authorized";

        # Basic base64(user3:secret)
        "Basic dXNlcjM6c2VjcmV0" "authorized";

        # Default unauthorized
        default "unauthorized";

    }
}
    1. We use $auth_status to protect a location block inside the server {...} context:
    server {

    # info.nginx
    location = "/info.nginx" {

        # HTTP 401: Unauthorized
        if ($auth_status = "unauthorized") {
            return 401;
        }

        # HTTP 200: OK
        access_log    off;

        default_type  "application/json; charset=UTF-8";
        return 200 '{"nginx_version":"$nginx_version","remote_user":"$remote_user", "http_authorization": "$http_authorization","time":{"time_iso8601":"$time_iso8601","time_local":"$time_local","msec":"$msec"},"remote":{"remote_addr":"$remote_addr","remote_port":"$remote_port"},"host":{"host":"$host","hostname":"$hostname"},"server":{"server_addr":"$server_addr","server_name":"$server_name","server_port":"$server_port","server_protocol":"$server_protocol"},"request":{"request_time":"$request_time","request_method":"$request_method","request_uri":"$request_uri","request_filename":"$request_filename","uri":"$uri","query_string":"$query_string","realpath_root":"$realpath_root"},"document":{"document_root":"$document_root","document_uri":"$document_uri"}}';

    }
}
    1. Finally, we create a custom HTTP 401 error_page inside the server {...} context and add the WWW-Authenticate header to trigger Browser Basic Auth Login Prompt.
    error_page 401 /401-nginx.html;

location = "/401-nginx.html" {
    root var/www/internal;
    internal;
    add_header WWW-Authenticate 'Basic realm="Restricted Area"' always;
}
    • 0