No authentication mechanisms

[maxkreja]

Currently there is no way to secure the web interface. The nginx directory is directly mapped to the Docker container and any person on the same network can access the control panel.

I suggest either implementing any authentication mechanism like username/password authentication backed up by a database or warning about this in README.md and suggesting to enable basic HTTP authentication at least.

[LucaNerlich]

basic auth docs are here: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
if anyone is looking for it. Fairly easy to set up. ~5mins

[schenkd]

Hello @maxkreja and thank you very much for your issue!

As already described, the user interface can be secured via .htpasswd in a few minutes. I should put this in the README.md so that it is easier for everyone to understand. I am also thinking about a user management, because the upcoming request to manage multiple nginx instances requires this.

http {
    server {
        listen 192.168.1.23:8080;
        root   /usr/share/nginx/html;

        location /api {
            api;
            satisfy all;

            deny  192.168.1.2;
            allow 192.168.1.1/24;
            allow 127.0.0.1;
            deny  all;

            auth_basic           "Administrator’s Area";
            auth_basic_user_file /etc/apache2/.htpasswd; 
        }
    }
}

I would close the issue and update the README.md In the coming release the Uer Management might be integrated. :)

Best David

[maxkreja]

That seems like a good solution. It was just important for me because this repo is getting a lot of attention right now and we have to make clear that you can't just download and install this and your are done. There will be a lot of "script kiddies" who will just do that, exposing their nginx configurations to the public which would be a very bad situation.