Join Log in
Score:2
Jungroy avatar Server

I'm not sure if basic auth on my server is being secured

cn flag
Jungroy

This may be a really dumb question but I had to make sure that i'm fine with this.

I setup an HTTPS server with basic auth, but the browser informs me that the connection is not secured when i connect to the auth page, and tells me that the connection is secured after i sign in. I want to know whether this is safe, and if not, how can i make it secured?

Config(NGINX):

server {
    listen 80;
    server_name sub.example.com;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name sub.example.com;

    ssl_ceerificate (certpath);
    ssl_certificate_key (certkeypath);
    ssl_trusted_certificate (anotherpath);
    ssl_dhparam (dhparam);

    ssl_protocols TLSv1.2 TLSv1.3;                                                                                                                                          
    ssl_prefer_server_ciphers on;                                                                                                                                           
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA25$
    ssl_ecdh_curve secp384r1;                                                                                                                                               
    ssl_session_timeout 10m;                                                                                                                                                
    ssl_session_cache shared:SSL:10m;                                                                                                                                       
    ssl_session_tickets off;                                                                                                                                                
    ssl_stapling on;                                                                                                                                                        
    ssl_stapling_verify on;                                                                                                                                                 

    add_header X-Content-Type-Options "nosniff" always;                                                                                                                     
    add_header X-Frame-Options "SAMEORIGIN" always;                                                                                                                         
    add_header X-XSS-Protection "1; mode=block"                                                                                                                                                            

    location / {                                                                                                                                                    
        auth_basic 'Nothing to see here';                                                                                                                                                                                                

        proxy_pass http://localhost:4000/;                                                                                                                     
    }
}

Screenshot

70
1 + 11
us flag
Tero Kilkanen
Do you have proper certificates installed?
0
Reply
Jungroy avatar
cn flag
Jungroy
@TeroKilkanen yes I have a letsencrypt cert installed and chrome recognizes it too after i sign in
0
Reply
digijay avatar
mx flag
digijay
Have you added the basic authentication to the encrypted host or to the unencrypted (port 80)? Please share your config file(s).
0
Reply
Jungroy avatar
cn flag
Jungroy
@digijay every http request is redirected to https, thus basic auth is on https server, i'll share the config asap
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
What is the real hostname?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Yes, we _prefer_ posting real information whenever possible as it makes diagnosis much easier in many cases.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
For example: `curl: (7) Failed to connect to omv.jungroy.codes port 443: Connection refused` Is your web server up? Did you delete the https configuration?
0
Reply
Jungroy avatar
cn flag
Jungroy
@MichaelHampton Oh i denyed all except my ip, ill allow that
0
Reply
Jungroy avatar
cn flag
Jungroy
@MichaelHampton you can curl it now
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Everything seems to be working fine.
0
Reply
Jungroy avatar
cn flag
Jungroy
Oh thank you for checking it out!
0
Reply
Score:3
Michael Hampton avatar Server
cz flag
Michael Hampton

Your configuration appears fine; it's the browser that is misbehaving.

Your site correctly redirected to https, and the basic auth request was sent to you over https. But the browser did not update the address bar before popping up the dialog. Interestingly, I was able to see this behavior both on Chrome and Firefox. Perhaps this is because the browser asked for the credentials before (from its perspective) the page load was complete? It's a question for the browser developers.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.