Nginx Http Basic Auth Security
So lets say I host something like netdata dash board on port 6000.
Then I nginx reverse proxy it to the subdomain netdata.domain.com
While basic auth is applied at the nginx.conf to allow site wide protection.
My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?
But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?
I don't know if my concern is valid.
Solution 1:
My question is, since my connection to netdata.domain.com is http instead of https, my data is not encrypted. So won't logging into to nginx basic auth under this connection basically expose the password for a MITM attack?
Correct. It's sent entirely in cleartext, and anyone in the path may read it trivially.
But if I add cloudflare between the real ip, that gives a layer of proxy and basically adds a lot of difficulty for that to happen right?
If you configure CF to require TLS, then the connection between client and CF will be encrypted. Between CF and server it won't be.
It's 2021. Certificates are free, and trivially automatable on all platforms. Do not deploy authentication over HTTP in 2021. Configure it the proper way with TLS on your web server.