Consider documenting how your example works differently with docker-compose.yml or docker-cloud.yml.

Because the examples define HTPASSWD as an environment variable, they often pass strings with $ characters. When using Docker compose or swarm to parse the config file, this will cause the file to fail due to failed string expansion:

"$ characters must be escaped with a second $"

So your example

-e HTPASSWD='foo:$apr1$odHl5EJN$KbxMfo86Qdve2FH4owePn.' \

Will, in the yml config, have double-$$, or it will fail:

environment:
  - HTPASSWD='foo:$$apr1$$odHl5EJN$$KbxMfo86Qdve2FH4owePn.'

For related discussion, see:

https://forums.docker.com/t/docker-swarm-with-compose-file-does-not-recognize-links/42356/4

I have my own docker-composer.yml, and then i wanna use this basic auth for secure my container..
my container was open in 80/TCP, and no any network definition in yml file, but go this error,,
docker: Error response from daemon: Cannot link to /app, as it does not belong to the default network.

i'am using
$ docker run -d -p 80:80 --link app:app --name auth beevelop/nginx-basic-auth

i dont want to secure a secondary container, but instead protect a served folder locally like this:

server {
    server_name example.com;
    root /var/www/web_root/;
    index index.html;

    auth_basic "Restricted";
    auth_basic_user_file auth.htpasswd;
}

any way we can make this happen? currently its really just a proxy (resulting in an endless loop) when started with localhost:

FORWARD_HOST=127.0.0.1

server {
 listen 80 default_server;

 location / {
     auth_basic              "Restricted";
     auth_basic_user_file    auth.htpasswd;

     proxy_pass                          http://127.0.0.1:80;
     proxy_read_timeout                  900;
 }
}

currently i am solving it like this:

server {
 listen 80 default_server;
 auth_basic              "Restricted";
 auth_basic_user_file    auth.htpasswd;
 root /usr/share/nginx/html;
 index index.html;
}

FROM beevelop/nginx-basic-auth

COPY html_files /usr/share/nginx/html
COPY nginx.conf /opt/auth.conf

it works, but it would be cool if it works without local files and custom containers. Just an idea...

In order to get my PWA manifest file working (for example), it needs to be accessible. Is there a way to add this use case to this image?

Hi,

I cannot get this to work, I just get 502 Bad Gateway responses. Perhaps you can see a problem with my Docker configuration:

    docker run -d --restart=always --name="web" \
        -v /Users/Shared/repo:/munki_repo \
        -p 8765:80 -h web groob/docker-munki

    HTPASSWD_CONTENT=$(sudo head -n 1 /Users/Shared/repo/.htpasswd)
    docker run -d \
        -e HTPASSWD=$HTPASSWD_CONTENT \
        -e FORWARD_PORT=8765 \
        --link web:web -p 8000:80 \
        --name auth \
        beevelop/nginx-basic-auth

As you can see, I renamed the web container to try and conform with the proxy pass to http://web:8765, but that didn't work. Any ideas?

Thanks!
Graham

I got this error when follow instructions

docker: Error response from daemon: could not get container for web: No such container: web.

I am getting this error even though the user exists:

2020/06/07 08:54:24 [error] 15#15: *12 user "foo" was not found in "/etc/nginx/auth.htpasswd", client: 192.168.0.29, server: , request: "GET / HTTP/1.1", host: "192.168.0.25:8080"

$ docker exec -it xxxxxxxx cat /etc/nginx/auth.htpasswd
'foo:/

Why am I getting this "user was not found in" error when the user exists?

Problem

nginx had a DDOS vulnerability. CVE-2019-9513 when this image was built last built, about three months ago with nginx:alpine ~1.17.0-2.

https://hub.docker.com/r/beevelop/nginx-basic-auth/dockerfile

Edit: correction, when I pull the latest from dockerhub, spin up a container, shell in and nginx -v, I see nginx/1.15.12. Not sure why it is that old.

Solution

bumping dockerhub to rebuild from nginx:alpine (no change to Dockerfile needed). That should grab nginx 1.17.3+, patching the vulnerability

Scan report excerpt:

According to its Server response header, the installed version of nginx is 1.9.5 prior to 1.16.1 or 1.17.x prior to
1.17.3. It is, therefore, affected by multiple denial of service vulnerabilities :

• A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional
  conditions. An unauthenticated, remote attacker can exploit this, by manipulating the window size and stream
  priority of a large data request, to cause a denial of service condition. (CVE-2019-9511)

• A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional
  conditions. An unauthenticated, remote attacker can exploit this, by creating multiple request streams and
  continually shuffling the priority of the streams, to cause a denial of service condition. (CVE-2019-9513)

• A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling of exceptional
  conditions. An unauthenticated, remote attacker can exploit this, by sending a stream of headers with a zero length
  header name and zero length header value, to cause a denial of service condition. (CVE-2019-9516)

Solution:

Upgrade to nginx version 1.16.1 / 1.17.3 or later.

Risk Factor: High
CVSS Score: 7.8
CVE: CVE-2019-9513

I am trying to use your image in Docker Swarm. Unfortunately I can't get it to work. Accessing localhost:8080 keeps prompting for username and password and the logs of the auth container show: nginx: [emerg] host not found in upstream "web" in /etc/nginx/conf.d/auth.conf:8

Here is the docker-compose.yml file I am using:

version: '3.4'

services:

  web:
    image: dockercloud/hello-world

  service_auth:
    image: beevelop/nginx-basic-auth
    ports:
      - 8080:80
    environment:
      HTPASSWD: 'foo:$apr1$odHl5EJN$KbxMfo86Qdve2FH4owePn.'
      FORWARD_PORT: 80
      FORWARD_HOST: web```

Started with:

`docker stack deploy -c docker-compose.yml mystack`

This package was identified by a security researcher as being a popular package and having a potential security vulnerability related to the recent Alpine CVE-2019-5021.

https://www.kennasecurity.com/20-of-the-1000-most-popular-docker-containers-have-no-root-password/

News discussion here:

https://www.zdnet.com/article/root-account-misconfigurations-found-in-20-of-top-1000-docker-containers/

The proposed fix is adding this line to the Dockerfile:

# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow

I am missing license information for the images on dockerhub as well as for this source repo.
Do you have any plans to provide this work with some open source license, like Apache, BSD, MIT, or similar? How can I use them?

Hi,

@beevelop I have been using your project and i see the password is encrypted.

Can you please let me know how to make the password encrypted

Thanks,
Vivek

Nice tool, how about allowing multiple users and password as an environment variable / array?

we get this error in nginx logs.
upstream prematurely closed connection while reading upstream, client:
Work around is to use proxy_http_version 1.1; in the nginx config.
Can you please tell how to specify that in docker-nginx-basic-auth.

Thanks!