At the moment I configured http basic authentication for all services without own authentication.
Problem:
http basic authentication in incompatible with my password manager and sometimes (depending on the service behind nginx) it’s not working very well (multiple authentication requests etc.)
As I was unable to find a solution:
Is there a good and easy way to protect all services reachable via nginx?
Something like:
As soon I try to reach one of my services I log in once and than I can reach all services without additional authentication.
I’m not a deep NGINX Guru and I am having some challenge understanding what you are trying to accomplish. So I hope you don’t mind me asking a few questions.
What kind of services are you protecting, (if you can share this)?
What is your current NGINX setup? Open Source Core, Plus, any modules?
Are these services internal (private network) or external (publicly accessible)? Big security differences
Do you have an existing identity provider (IdP) or user directory they want to integrate with?
There may be multiple approaches to this depending on factors,.
Further to the questions from @davemc, I will add that there is no way to do what you want to do if you are using NGINX Open Source. There might be some custom third party modules that could help you achieve your goal, but these are not supported nor tested by us.
That being said, you could implement some solutions with NGINX Plus if you are comfortable with using certificates/API keys, but if you want a portal that easily works with a password manager, you really want to use a fully fledged identity provider solution. F5 has a solution that might work, but it’s catered towards enterprise users.
Thanks for the answers. I’m using the Open Source version without any extension. It just routes the traffic to the correct internal service.
So it looks that there is no way to so it this way.
I have tools like “Homepage” (a tool to create a custom start page for your internal services etc.), the UI of my 3D printer, Plex, audiobookshelf etc. running. Some like Plex and audiobookshelf provide their own authentication, but most tools don’t.
These tools are available external via a DynDND provider. I don’t have any user directory or something like this running. As an IDP I think I could use Google…
Again, I’m not as deep as @alessandro but some random thoughts.
There is a module (which is not compiled into NGINX Open Source core, http_auth_request_module which allows NGINX to make an internal subrequest to an authentication service. The doc is linked.
You could also look into OpenID Connect, where NGINX acts as a Relying Party. This does require the authentication be offloaded to a dedicated identity provider.
OAuth 2.0 does something similar (but more robust at SSO). NGINX Plus has OIDC built-in.
I’m a bit out of my depth here, but these might be able to help.