Nginx Http Basic Auth Security

Question

So lets say I host something like netdata dash board on port 6000.

Then I nginx reverse proxy it to the subdomain netdata.domain.com

While basic auth is applied at the nginx.conf to allow site wide protection.

My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?

But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?

I don't know if my concern is valid.

why would you want to use http instead of https? there is no reason why you can't — djdomi, Jul 25 '21 at 15:48

score 1 · Accepted Answer · answered Jul 25 '21 at 13:39

My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?

Correct. It's sent entirely in cleartext, and anyone in the path may read it trivially.

But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?

If you configure CF to require TLS, then the connection between client and CF will be encrypted. Between CF and server it won't be.

It's 2021. Certificates are free, and trivially automatable on all platforms. Do not deploy authentication over HTTP in 2021. Configure it the proper way with TLS on your web server.

Nginx Http Basic Auth Security

1 Answers1