NGinx and htpasswd (basic authentication)

mikeg1130 · March 11, 2017, 2:38am

Hi All,

Is anyone successfully using basic authentication via .htpasswd with nginx? I have SSL and reverse proxy set up and working well, but as soon as I enable basic auth, I run into problems. After entering in my credentials, the HA UI just churns, eventually telling me it is unable to connect. When I disable it, everything works fine.

I found what looks to be a similar issue described here :

server {
        listen 80;
        server_name domainname.com;
        return 301 https://$server_name$request_uri;  # enforce https
}

server {
	server_name domainname.com;
	listen 443 ssl;

	ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5";
    ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 180m;
	ssl_dhparam /etc/nginx/cert/dhparam.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.8.4;

	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/.htpasswd;
	
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	proxy_buffering off;

	location / {
		proxy_pass http://127.0.0.1:8123;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
	}

	location ~ /\.ht {
		deny all;
	}

	location ~ /.well-known {
		allow all;
	}
}

alanranciato · March 11, 2017, 2:53am

That was my post. There is one more solution that was offered that I haven’t tried yet. Going to try this weekend after I upgrade my Hass.

Nginx basic auth works fine on a laptop now both on wifi and external with port forwarding, but on mobile, I still have that issue where post login, it drops me at a hass login page (hass api password is disabled).

mikeg1130 · March 11, 2017, 3:06am

Let me know how it goes. I’d feel better about my setup with auth working.

I am having the issue in both Safari on my Mac and on my iPhone. Your comment that it was working on your laptop made me wonder what another browser would do. And guess what, it works fine in Chrome on my Mac. So maybe something Apple/Safari specific?

leif.liddy · April 7, 2017, 12:54am

I’ve just began using home assistant a few days ago, and I’ve just run into this issue. There’s a ton of posts about this problem, but no solutions. In my case, I just want api access (don’t need webpage access) to my HA server from the internet --but I also wanted it to be as secure as possible. Since I can’t use Basic Authentication, the solution I came up with is just the specify the api path:

location /api/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_pass http://home.example.com:8123/api/;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
}

If anyone has any ideas on how make to make this even more secure, please let me know. I can’t really specify allowed IP’s, as I’m receiving POST requests from IFTTT, and don’t want to spend time updating IP address lists.

roflmao · April 20, 2017, 11:35am

I have this problem as well. Disabling basic auth fixes the error. What kind of uri’s can i safely whitelist without auth?

rabittn · April 20, 2017, 12:00pm

I just setup the following config and it works ok for me. I do however still have the built in password turned on.

server { # simple reverse-proxy
    listen       80;
    server_name  test.yada.com;
    return 301 https://$host$request_uri;
}

server {
    server_name  test.yada.com;
    listen 443 ssl;
    listen 8123 ssl;
    ssl_certificate /etc/letsencrypt/live/test.yada.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test.yada.com/privkey.pem;
    ssl_dhparam  /etc/ssl/certs/dhparam.pem;


    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
      proxy_pass      http://192.168.47.200:8123/;
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Host $host:$server_port;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_buffering off;
}
}

abmantis · May 22, 2017, 10:43pm

I’m also having this problem. It does not happen after clearing the cache, but starts happening after some time (after session timeout, I guess). On nginx’s access.log I see many 401 request errors.

auth_basic “Restricted” and HA login enabled. Commenting auth_basic solves the problem.
I have tried every config I found here on the forum.

mattyman · June 12, 2017, 3:31pm

Having the same issue as everyone else. No iOS for me though. Chrome on Windows works fine, but Chrome on Android breaks like iOS does. I’ve installed Firefox on Android which seems to work ok.

mattyman · June 13, 2017, 3:09pm

Actually I fixed this by adding the api location to nginx (on Android at any rate - I can’t check iOS.)

add this to your nginx server config

location /api/websocket {
proxy_pass http://[change-me-to-hass-location]:[port]/api/websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
auth_basic “Website Password”;
auth_basic_user_file [change-me-to-password-file];
}

mikeg1130 · June 13, 2017, 3:22pm

No luck for me with this. I just tried it out, and still getting ‘unable to connect’ in Safari on Mac and iOS. Shucks!

mattyman · June 14, 2017, 1:16am

And today it’s not working for me either.

Sorry guys.

mattyman · June 14, 2017, 3:08pm

I’ve just realised what happened.

I navigated to the /api/websocket address which made the basic auth window popup. I authenticated it and then went to the /states URL which worked.

Theoretically we could create an index.html file somewhere with html to redirect it back to /states. It should then auth on our new page, load our page which then flicks you back to the HA /states URL.

Theoretically.

It’s late here now so I might give this a shot tomorrow night.

iliketoprogram14 · November 29, 2017, 7:39am

@mattyman Did you ever get this working?

mattyman · November 29, 2017, 7:55am

No.

I gave up and ended up just setting up the password in HA itself using the secrets file.

iliketoprogram14 · November 29, 2017, 8:47am

Darn that’s too bad. I’m pretty sure the bug is this: https://github.com/home-assistant/home-assistant/issues/6184. I’m not sure it’s on the radar for being fixed anytime soon.

iliketoprogram14 · December 20, 2017, 1:47am

@mattyman I ended up switch to oauth2 using bitly/oauth2 behind nginx, and that worked fine without any problems. The hard part was setting it up, but it worked great after that.