Chapter 6. Authentication


NGINX is able to authenticate clients. Authenticating client requests with NGINX offloads work and provides the ability to stop unauthenticated requests from reaching your application servers. Modules available for NGINX Open Source include basic authentication and authentication subrequests. The NGINX Plus exclusive module for verfying JSON Web Tokens (JWTs) enables integration with third-party authentication providers that use the authentication standard OpenID Connect.

HTTP Basic Authentication


You need to secure your application or content via HTTP basic authentication.


Generate a file in the following format, where the password is encrypted or hashed with one of the allowed formats:

# comment

The username is the first field, the password the second field, and the delimiter is a colon. There is an optional third field, which you can use to comment on each user. NGINX can understand a few different formats for passwords, one of which is whether the password is encrypted with the C function crypt(). This function is exposed to the command line by the openssl passwd command. With openssl installed, you can create encrypted password strings by using the following command:

$ openssl passwd MyPassword1234

The output will be a string that NGINX can use in your password file.

Use the auth_basic and auth_basic_user_file directives within your NGINX configuration ...

Get NGINX Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.