This is a quick tutorial on setting up NGINX with Certbot when you’re using HTTP Basic Authentication.
HBA is what you see if you set parameters like this in a location:
auth_basic "some arbitrary name"; auth_basic_user_file /etc/nginx/path/to/my/password/file;
If you do this, you’ll see a prompt like this if you visit the site:
You can use httpasswd (an Apache tool – it’s in apache2-tools on Debian) to create the password file.
HTTP Basic Auth is a very convenient way to lock off a site while you’re working on it (or if you intend it to be forever private). Many web apps have login/authentication features and if you are managing a user base, obviously you need to use a system built for that. But for quick “me only” curtaining off a site or if you’re locking off a site where you don’t feel like investing the time and effort into authentication, it’s excellent.
However, there’ s hitch: Certbot renewals.
Certbot won’t know your HTTP Basic Auth user name and password, so when it comes to do its renewal (or the initial certificate provisioning), it fails. You could disable HBA, do the provision or renewal, and then reenable it, or you could look at a different type of challenge such as DNS. However, I’ll share a quick set-it-and-forget-it. It looks like this in your site’s NGINX config file:
location /.well-known { autoindex on; root /your/web/root/for/this/site; auth_basic off; }
What this does is tell NGINX that the directory .well-known (which is where Certbot does its challenges) is not to be protected by HTTP Basic Authentication. Every other place will be, but that one directory won’t, and Certbot will work just fine.
I like this method because it allows me to script the complete web setup: create the NGINX config file/links/users files, recycle NGINX, run certbot, and the site is then ready to go all in a single script.
Enjoy!
Related Posts:
- Little Machines in Big Datacenters: Where to Host Your Raspberry Pi - October 10, 2024
- WHMCS and cPanel Prices Going Up By… 5%? 10%? Keep Guessing… - October 9, 2024
- Has the Biggest Performance Bottleneck in Python Finally Been Slain? - October 8, 2024
Leave a Reply