HowTo: RT View - Basic authentication in nginx

After setting up your nginx proxy to make the RT View content available, you’ll need some very basic mean of authentication to prevent everybody to be able to view all your internals. (This does not cover encryption using TLS to prevent man-in-the-middle attacks)

Prerequisites

  • You are using systemd to manage your services
  • You have installed cardano-rt-view (0.1.0). It runs and listens for connection on 127.0.0.1:[RTVIEW_PRIVATE_PORT]
  • You have installed nginx. You configured it to proxy requests on your [PUBLIC_IP]:[NGINX_PUBLIC_PORT] to 127.0.0.1:[RTVIEW_PRIVATE_PORT]

Install htpasswd
Fedora Linux/CentOS: sudo dnf -y install httpd-tools
Ubunto/Debian: sudo apt install apache2-utils

Create password file

sudo htpasswd -5 -c /etc/nginx/conf.d/.htpasswd-cardano-rt-view [USERNAME]

Options:
-5 enforces SHA-512 instead of MD5 (unsafe)
-c creates a new file (only use once, of course)

Add authentication to nginx configuration
Add the auth_basic and auth_basic_user_file parts to your nginx-configuration.
My /etc/nginx/nginx.conf now contains this within the http{}-block:

# Cardano RTView proxy
server {
    listen       [PUBLIC_IP]:[NGINX_PUBLIC_PORT];
    server_name  your.domain-name.com;

    location / {
        auth_basic           "Cardano RT View Authorization";
        auth_basic_user_file /etc/nginx/conf.d/.htpasswd-cardano-rt-view;
        proxy_pass           http://127.0.0.1:[RTVIEW_PRIVATE_PORT]/;
    }
}

Restart nginx

sudo systemctl restart nginx

You should be done now! :slight_smile:

500 - Internal server error

If you encounter nginx’ internal server errors now (500), this might be due to storing your password-file in a different place. You can check this using

sudo tail -f /var/log/nginx/error.log

In combination with SELinux you’ll have to allow nginx to read other parts of the filesystem (not really good for security):

sudo setsebool httpd_read_user_content on -P