auth_basic module for implementing authentication popup

[ubmaity]

I am using this repo for hosting Nginx-s3-gateway inside a docker image: https://github.com/nginxinc/nginx-s3-gateway
I can get the s3 objects on browser after running the docker image but I need to authenticate it also , added auth _basic section in config but unable to use the authentication functionality supported by nginx itself.
/etc/nginx/default.conf
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
After I use this auth_basic module , browser prompts for username and password and then auto redirects to 404 page not found.

@liam from nginx community suggested this:
You should add those directives to the location block that is handling the S3 traffic. Don’t create a new location block for it.

No luck here as well.
Please help or give your suggestions

[ubmaity]

@dekobon @shawnhankim Do you guys please have any advice on this?

[dekobon]

Hi there, both of the maintainers are unable to investigate this issue this week due to travel. This is a good question and it will require some experimenting to see what is going wrong.

I agree with Liam. It will not work by just adding that location block. You will need to do it at the location blocks that are proxying. Also many AWS errors are converted to 404s, so if you are debugging it is helpful to disable that in the nginx.conf.

[ubmaity]

Sure , thanks for the reply.
Will try to debug this weekend. Tell me if you get a chance to work on the same.
Thanks for the humble response again.

[ShoshinNikita]

I managed to enable Basic Auth by adding these lines to /etc/nginx/conf.d/gateway/server_variables.conf (and creating /etc/nginx/.htpasswd):

auth_basic           "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

This works because the modified file is included in the server block:

# /etc/nginx/conf.d/default.conf

...
server {
    include /etc/nginx/conf.d/gateway/server_variables.conf;
    ...
}

Additionally, you don't have to reset the Authorization header with proxy_set_header Authorization "" because it is already being set to $s3auth:

# /etc/nginx/conf.d/default.conf

server {
  location @s3PreListing {
      ...
      # Set the Authorization header to the AWS Signatures credentials
      proxy_set_header Authorization $s3auth;
      ...
  }

  location @s3Directory {
      ...
      # Set the Authorization header to the AWS Signatures credentials
      proxy_set_header Authorization $s3auth;
      ...
  }

  location ~ /index.html$ {
      ...
      # Set the Authorization header to the AWS Signatures credentials
      proxy_set_header Authorization $s3auth;
      ...
  }
}

It is a bit of a hacky solution, but it works 🤷