Protecting some applications/paths with HTTP basic auth

oliv85559 · January 22, 2023, 4:06pm

Hi everyone,

I am experimenting with Yunohost to replace my own-grown server installation. I have a Wordpress blog which is currently available at:

https://mydomain.com/myblog

To reduce the attack surface, visitors first get basic HTTP authentication set up with Apache when they open the URL. Only visitors with the correct HTTP username and password can access Wordpress at all. Normal visitors do not have Wordpress accounts and use Wordpress anonymously. Authors and admins have accounts and log in into Wordpress in addition to the HTTP auth. Everyone (visitors, authors, admins) uses the same HTTP username and password.

I would like to have the same setup with Yunohost. I tried following options:

Install the HTTP Auth Plugin for Wordpress: HTTP Auth – WordPress plugin | WordPress.org It does not seem to be compatible with the Yunohost setup, I get authentication errors or 500 errors from nginx
Install the Password Protected plugin for Wordpress: Password Protected – WordPress plugin | WordPress.org It works and kind of does the job, but the protection is lower than with an HTTP auth: Wordpress itself and potential security flaws are accessible for anyone with the base URL, and Wordpress media files can be accessed directly without the password if their path is known

I am wondering if I can modify the nginx configuration created by Yunohost to add an HTTP auth for /myblog, but I fear that it will conflict with Yunohost own authentication mechanisms, like it was probably the case with the HTTP Auth Plugin for Wordpress.

So my question is: is it possible at all to protects some applications with an additional HTTP authentication using Yunohost?

Thanks!
Oliver

izakis · January 22, 2023, 7:34pm

@oliv85559
i am not expert in nginx but i know nginx use some modular syntax as apache,
in that case nginx use htpasswd the same way.

instead i will explain to you how to do it with commands using ssl or apache utilities,

i wrote a tiny tool several years ago especially for these purposes,
you can download the tool from my personal server here:
https://ep.epnetwork.cf/enc/

once you load the page you will have two links i just set for you there, the first one is the tool itself,
you can create a bcrypt password with cost level 12 which is the highest in bcrypt encryption for your htpasswd file,

the second link is a gzip file you can download that program so you can use it at the future whenever you need,

how to implement:
go to your console
cd /
cd /etc/nginx
nano .htpasswd
and paste this =>

myusername:$2y$12$cDRThRg53ikSsN4AcaQRQ.KTfCDXx9B7eh1ZKvWyLCkr9UJTw5nCS

save and close
note: the username as you see is “myusername”, change it accordingly,
the password is 1234, don’t change it till you test if its working, or set your own password with my tool,

activate the passwd:
/etc/nginx/conf.d

nano “your wordpress domain” / “website”

add these lines on “location”:
auth_basic “WHATEVER USER INFORMED MESSAGE”;
auth_basic_user_file /etc/nginx/.htpasswd;

change => WHATEVER USER INFORMED MESSAGE
to something you like the browser will tell the user.

its should be something like this:

location / {
    return 301 https://$http_host$request_uri;
    auth_basic "WHATEVER USER INFORMED MESSAGE";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

save, and test

if it doesnt works try to reload nginx

sudo systemctl reload nginx

if its still doesn’t works reboot your server,

if its still doesn’t works tell me i will try to help you and will make sure you have done everything right,

in any case please tell me right away when you done downloading, cause i did open all of my firewalls so you can reach the page,

good luck

oliv85559 · January 22, 2023, 7:54pm

Hi @izakis,

thanks for your message! I do not really need help setting up an HTTP auth for nginx, my question is more how to do this the “Yunohost” way and/or without causing interference with it.

izakis · January 22, 2023, 7:57pm

Well seriously i have no idea,

i am not sure if yunohost have any option to make such thing and as you i want now also to know how to do it,

cause i just test it and it doesn’t works for me,
that is the way to do it and its works well in my other servers but in yunohost it doesn’t

so now i am with you at the same question

oliv85559 · January 23, 2023, 6:16am

Thank you anyway! I hope that someone knowledgeable will come to the rescue

izakis · January 23, 2023, 8:40am

yeah me too,

@tituspijean
@Aleks
@tierce

anyone can help us please?

tierce · January 23, 2023, 9:16am

I use WPS Hide Login – Extension WordPress | WordPress.org Français on WPs.

It’s done on the WP side, no need to touch nginx conf.

Can chose anything you want as /boss /myloginpage /notwelcomehere or anything you want.

And I also use Captcha – WordPress plugin | WordPress.org because it’s funny.

Hope this helps…

oliv85559 · January 23, 2023, 6:19pm

Thank you @tierce . The “WPS Hide Login” plugin is similar to “HTTP Auth” in the sense that it is a Wordpress-based solution. The idea is to use the HTTP server as an additional line of defense. It is not only additional, but also much more robust. The probability that ngnix or Apache have a flaw in HTTP basic auth for a whole subdirectory is much lower than Wordpress with its huge PHP code base, plugins and files that are directly accessible once the URL is known.

izakis · January 23, 2023, 11:04pm

thank you @tierce

the question is how can we use the standard htpasswd for authentication on yunohost, on the server level will be helpful,

I did test the usual way yesterday and it didn’t work, moreover I got a message on the diagnosis page that the “x.conf” file being modified,

any hint will be appreciated,

jeremy1 · January 24, 2023, 9:00am

Hi,

Authors and admins have accounts and log in into Wordpress in addition to the HTTP auth. Everyone (visitors, authors, admins) uses the same HTTP username and password.

Have you already tried to simply create a single yunohost user and “hide” wordpress for non-users ?
That would be done in yunohost webadmin (Users > Groups and permissions, or directly here : yourdomain.tld/yunohost/admin/#/groups). Be sure to put the Wordpress tile in “All users” and not in “Visitors”. Or just for the specific single user you’ll have to create.

oliv85559 · January 29, 2023, 9:55am

Hi @jeremy1, sorry for the long delay, I do not have much time to work on this currently. But thank you for the hint, it sounds like an interesting idea, I will try it out soon.

oliv85559 · February 19, 2023, 2:38pm

I finally had time to continue working on this. The problem with the approach mentioned by @jeremy1 is that the “dummy” account will be used also within Wordpress automatically due to the SSO. This will be a problem for comments, since all visitors will then write them under this same account. Or did I miss something?

One possibility is also to install Wordpress as custom/unmanaged app, e.g. “my_webapp”. Then your idea would work better, but Wordpress actual users (authors) must be managed directly in Wordpress (no SSO possible), and there is still no additional protection on the nginx level.

oliv85559 · February 19, 2023, 8:40pm

Hacking around, I actually found a way to use HTTP basic auth.

In /etc/nginx/conf.d/*.d/my_webapp.conf:

auth_basic "Please identify for ...";
auth_basic_user_file /etc/nginx/auth/...;

Create the auth file:

mkdir -p /etc/nginx/auth
htpasswd -c /etc/nginx/auth/...

Reload nginx:

systemctl reload nginx

Tweak ssowat by setting the following values to false:

vi /etc/ssowat/conf.json

    "my_webapp.main": {
        "auth_header": false,
        "use_remote_user_var_in_nginx_conf": false,
    }

The flag use_remote_user_var_in_nginx_conf has been introduced very recently:

I found a related discussion here: Authentication issues with YunoHost 11.1.0 with new SSOwat version / Please upgrade to YunoHost 11.1.2 to fix - #85 by DerpFox

I don’t understand the background of all this… Does anyone know if the developer of the commit is on this forum?

jeremy1 · February 22, 2023, 9:17am

Have you been able to try it ? Best way to know (as I’m not sure what this will do in the end).

Aleks clearly is on this forum, but tweaking nginx + ssowat is a very special case for which I’m not sure he’ll be able to answer

oliv85559 · February 25, 2023, 1:25pm

Finally, it is the week-end again, and I had time to work on this. It looks like I found a way. The idea is to create the nginx configuration outside of Yunohost and tell SSOwat to ignore it:

/etc/nginx/conf.d/mydomain.fake.d/mywordpress.conf

rewrite ^/mywordpress$ /mywordpress/ permanent;
location /mywordpress/ {

    auth_basic "Please identify for mywordpress";
    auth_basic_user_file /etc/nginx/auth/mywordpress;


    # Path to source
    alias /var/www/mywordpress/;

    # Common parameter to increase upload size limit in conjunction with dedicated PHP-FPM file
    #client_max_body_size 1G;

    # Default indexes and catch-all
    index index.html index.php;
    try_files $uri $uri/ /mywordpress/index.php?$args;

    # Prevent useless logs
    location = /mywordpress/favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /mywordpress/robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Deny access to hidden files and directories
    location ~ ^/mywordpress/(.+/|)\.(?!well-known\/) {
        deny all;
    }

    # Execute and serve PHP files
    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm-mywordpress.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param REMOTE_USER $remote_user;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $request_filename;
    }

    # Include SSOWAT user panel.
    # include conf.d/yunohost_panel.conf.inc;
}

/etc/ssowat/conf.json.persistent

{
    "permissions": {
        "mywordpress": {
            "auth_header": false,
            "label": "My Wordpress",
            "show_tile": false,
            "public": true,
            "uris": [
                "mydomain.fake/mywordpress"
            ],
            "use_remote_user_var_in_nginx_conf": false
        }
    }
}

The consequence is of course that the Wordpress site cannot use SSO, but I can live with that.

Basically this solution allows to host any custom application on a Yunohost server. I did not see how to do this in the documentation, I think it would be useful for other people and in other situations.

@aleks what do you think of this solution? By the way, I had to set use_remote_user_var_in_nginx_conf to false, but this field is not documented on GitHub - YunoHost/SSOwat: A simple SSO for NGINX, written in Lua

system · March 27, 2023, 1:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.