secureinfrastructure,

How to secure-docker-instance-with-basic-Authentication

Manikanta S Manikanta S Follow Jul 01, 2022 · 1 min read
How to secure-docker-instance-with-basic-Authentication
Share this

Nginx reverse proxy with Basic Authentication

Secure Docker Deployment

Introduction:

Recently, I faced a challenge to deploy a docker web application with basic authentication. Instead of modifying the docker web application, I deployed the docker instance behind the Nginx reverse proxy with Basic Auth. So I want to share the process and challenges I faced in order to deploy the docker web app.

Stage 1: Setup Nginx and Basic Authentication:

First, we have to install Nginx and set up a password for basic authentication.

sudo apt-get install nginx

setup basic authentication credentials using htpasswd.

sudo htpasswd -c /etc/nginx/.htpasswd <setup_username>

If you got an error while executing the above command like htpasswd command not found. Then try the below command to install htpasswd

sudo apt-get install apache2-utils

Stage 2: Configure Nginx:

Edit /etc/nginx/nginx.conf with user configuration changed to any docker member user.

sudo sed -i 's/user .*;/user <dockermember>;/' /etc/nginx/nginx.conf

Stage 3: Deploy docker web application on localhost:

Make sure the docker instance should be run on the localhost. If you run the docker instance on public IP. Then there is no value to the Nginx reverse proxy.

sudo docker run --rm -it -p 127.0.0.1:8076:80 yeasy/simple-web:latest

Stage 4: Configure docker site to Nginx route:

sudo vi /etc/nginx/sites-enabled/docker

Add below content with the docker hostname and port number.

upstream docker {  server unix:/var/run/docker.sock;}server {  listen 4242 default_server;  location / {    proxy_pass http://127.0.0.1:8076;    auth_basic_user_file /etc/nginx/.htpasswd;    auth_basic "Access restricted";    #proxy_buffering off; optional value. if you face "

Now you can access the application with the public IP address of your server with the respective Nginx port (4242).

http://cloudinstance-ip:4242

HTTP Basic Authentication uses username/password credentials transferred without any encryption. So we have to implement (HTTPS) TLS for the Nginx proxy.

Thanks for spending your time. If you like this write-up please do follow me and stay tuned for more technical knowledge.

bugbounty owasp itsecurity cookie-security dockersecurity reverseproxy
Join Newsletter
Get the latest news right in your inbox. We never spam!
Manikanta S
Written by Manikanta S Follow
Hi, I am a computer security enthusiast, Indian security researcher, and BugHunter.
Never leave this tip while you are hunting Broken Access Control.
The Importance of Checking User-Agent Header Dependency in Penetration Testing.