ASIC Sentry - How to setup basic authentication and SSL with NGINX?

[1] Create authentication user with htpasswd

htpasswd program comes from apache2-utils (Debian, Ubuntu) or httpd-tools (RHEL/CentOS/Oracle Linux)

htpasswd -c /etc/apache2/.htpasswd admin

To create new user, append the user list (Omit -c):

htpasswd /etc/apache2/.htpasswd user_2

[2] Create /etc/nginx/conf.d/asic-sentry.conf with basic_auth & SSL

upstream asic_sentry {
  keepalive 32; # keepalive connections
  server 127.0.0.1:4001; # asic_sentry ip and port
}

# Required for websocket
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  listen          443;       # Listen on port 80 for IPv4 requests

  server_name     asic_sentry.example.com;  # replace asic_sentry.example.com with your server domain name

  # this is the jenkins web root directory
  # (mentioned in the output of "systemctl cat jenkins")

  ssl_certificate     "/etc/pki/asic_sentry.example.com/asic_sentry.example.com.bundle.crt";
  ssl_certificate_key "/etc/pki/asic_sentry.example.com/asic_sentry.example.com.key";
  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout  10m;
  ssl_ciphers PROFILE=SYSTEM;
  ssl_prefer_server_ciphers on;

  access_log      /var/log/nginx/asic_sentry.access.log;
  error_log       /var/log/nginx/asic_sentry.error.log;

  location / {
      sendfile off;
      proxy_pass         http://asic_sentry;
      proxy_redirect     default;
      proxy_http_version 1.1;

      # Basic Authentication
      auth_basic "Administrator’s Area";
      auth_basic_user_file /etc/apache2/.htpasswd;

      # Required for websocket agents
      proxy_set_header   Connection        $connection_upgrade;
      proxy_set_header   Upgrade           $http_upgrade;

      proxy_set_header   Host              $http_host;
      proxy_set_header   X-Real-IP         $remote_addr;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Proto $scheme;
      proxy_max_temp_file_size 0;

      #this is the maximum upload size
      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;
      proxy_request_buffering    off; # Required for HTTP CLI commands
  }
}

[3] Test nginx config file

nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[4] Reload nginx

nginx -s reload

References

• Restricting Access with HTTP Basic Authentication, https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
• Reverse proxy - Nginx, https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-nginx/