Add document to configure Basic Auth #1634
Conversation
github-actions
bot
added
documentation
✅ Deploy Preview will be available once build job completes!
|
ADubhlaoich
left a comment
ADubhlaoich
left a comment
There was a problem hiding this comment.
Initial bit of metadata feedback - more feedback coming.
There's a lot of stuff to be changed.
| toc: true | ||
| nd-content-type: how-to | ||
| nd-product: FABRIC | ||
| nd-docs: DOCS-1848 |
There was a problem hiding this comment.
| nd-docs: DOCS-1848 |
If this was not generated by docs automation, it should not be included.
Duplicate IDs cause issues.
salonichf5
left a comment
salonichf5
left a comment
There was a problem hiding this comment.
looks good to me overall, just a couple of comments
| ## How it works | ||
|
|
||
| For Basic Authentication, NGINX uses the [ngx_http_auth_basic](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html) module. | ||
| Below is an example NGINX configuration using this module: | ||
|
|
||
| ```nginx | ||
| http { | ||
| upstream backend_default { | ||
| server 10.0.0.10:80; | ||
| server 10.0.0.11:80; | ||
| } | ||
|
|
||
| server { | ||
| listen 80; | ||
| server_name cafe.example.com; | ||
|
|
||
| location /coffee { | ||
| auth_basic "Restricted"; | ||
| auth_basic_user_file /etc/nginx/secrets/basic_auth_default_basic_auth_user; | ||
| proxy_pass http://backend_default; | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| All requests made to `/coffee` will require credentials that match those stored in `/etc/nginx/secrets/basic_auth_default_basic_auth_user` defined by the `auth_basic_user_file` directive. Any request that contains invalid or missing credentials will be rejected. | ||
|
|
There was a problem hiding this comment.
this could be part where authentication filter is added and we check the status and show the config.
Maybe we could talk about the nginx directives being used here like we do for other guides.
There was a problem hiding this comment.
That's a good idea. I'll see if I can change that.
…Verify Basic Authentication section
Thanks Alan! Appreciate you taking the time to look over it all 😄 |
| - Ensure the Gateway API CRDs are installed on your cluster. | ||
| - Ensure the latest NGINX Gateway Fabric CRDs are installed on your cluster. |
There was a problem hiding this comment.
This is kind of vague. Do we say this in other docs?
There was a problem hiding this comment.
I think you can just use this instead of these lines.
## Before you begin
- [Install]({{< ref "/ngf/install/" >}}) NGINX Gateway Fabric.
There was a problem hiding this comment.
That's a good catch, thanks guys. The steps to install NGF cover the CRD installs, so these can be removed.
|
|
||
| ### Deploy demo applications | ||
|
|
||
| To deploy both the `coffee` and `tea` applications, copy the blow yaml into your terminal: |
There was a problem hiding this comment.
| To deploy both the `coffee` and `tea` applications, copy the blow yaml into your terminal: | |
| To deploy both the `coffee` and `tea` applications, copy the following yaml into your terminal: |
|
|
||
| ### Create a Gateway | ||
|
|
||
| To create your gateway resource, and provision the NGINX pod, copy the below yaml into your terminal: |
There was a problem hiding this comment.
| To create your gateway resource, and provision the NGINX pod, copy the below yaml into your terminal: | |
| To create your gateway resource, and provision the NGINX pod, copy the following yaml into your terminal: |
|
|
||
| ## Verify Basic Authentication | ||
|
|
||
| Before verifying the traffic of the application, we'll first make sure the NGINX config is correct. |
There was a problem hiding this comment.
Do we do this in other docs as well? I wonder if we really need users to check the nginx conf. Our main purpose is to essentially hide this so users don't need to care.
There was a problem hiding this comment.
We do check NGINX configuration in other guides and feels like a good debugging practice
There was a problem hiding this comment.
In that case, I'd suggest using easier commands for users to copy/paste to get the config, since they won't have the specific pod name. You can use the deployment name to do the same, and that would be consistent with what a user has.
|
|
||
| ### Create a Gateway | ||
|
|
||
| To create your gateway resource, and provision the NGINX pod, copy the below yaml into your terminal: |
There was a problem hiding this comment.
| To create your gateway resource, and provision the NGINX pod, copy the below yaml into your terminal: | |
| To create your gateway resource, and provision the NGINX pod, copy the below YAML into your terminal: |
|
|
||
| Authentication is crucial for modern application security and allows you to be confident that only trusted and authorized users are accessing your applications, or API backends. | ||
| Through this document, you'll learn how to protect your application endpoints with NGINX Gateway Fabric using the AuthenticationFilter CRD. | ||
| In this guide we will create two sample applications, `tea` and `coffee`, where we will enable basic authentication on the `/coffee` endpoint. The `/tea` endpoint will not have any authentication. This is to help demonstrate how the application behaves both with and without authentication. |
There was a problem hiding this comment.
| In this guide we will create two sample applications, `tea` and `coffee`, where we will enable basic authentication on the `/coffee` endpoint. The `/tea` endpoint will not have any authentication. This is to help demonstrate how the application behaves both with and without authentication. | |
| In this guide, we will create two sample applications, `tea` and `coffee`, where we will enable basic authentication on the `/coffee` endpoint. The `/tea` endpoint will not have any authentication. This is to help demonstrate how the application behaves both with and without authentication. |
| Authentication is crucial for modern application security and allows you to be confident that only trusted and authorized users are accessing your applications, or API backends. | ||
| Through this document, you'll learn how to protect your application endpoints with NGINX Gateway Fabric using the AuthenticationFilter CRD. | ||
| In this guide we will create two sample applications, `tea` and `coffee`, where we will enable basic authentication on the `/coffee` endpoint. The `/tea` endpoint will not have any authentication. This is to help demonstrate how the application behaves both with and without authentication. | ||
| The `/coffee` endpoint will use the `ExtensionRef` filter to reference and `AuthenticationFilter` CRD which is configured for Basic Authentication. |
There was a problem hiding this comment.
| The `/coffee` endpoint will use the `ExtensionRef` filter to reference and `AuthenticationFilter` CRD which is configured for Basic Authentication. | |
| The `/coffee` endpoint will use the `ExtensionRef` filter to reference an `AuthenticationFilter` CRD which is configured for Basic Authentication. |
|
|
||
| ### Create a Gateway | ||
|
|
||
| To create your gateway resource, and provision the NGINX pod, copy the below yaml into your terminal: |
There was a problem hiding this comment.
lets capitalize k8s resource names - Pods, Service
| Accessing `/coffee` with incorrect credentials: | ||
|
|
||
| ```shell | ||
| curl -i -u user1:wrong -H "Host: cafe.example.com http://$GW_IP:$GW_PORT/coffee" |
There was a problem hiding this comment.
| curl -i -u user1:wrong -H "Host: cafe.example.com http://$GW_IP:$GW_PORT/coffee" | |
| curl -i -u user1:wrong -H "Host: cafe.example.com" http://$GW_IP:$GW_PORT/coffee |
| Accessing `/coffee` with valid credentials: | ||
|
|
||
| ```shell | ||
| curl -i -u user1:password1 -H "Host: cafe.example.com http://$GW_IP:$GW_PORT/coffee" |
There was a problem hiding this comment.
| curl -i -u user1:password1 -H "Host: cafe.example.com http://$GW_IP:$GW_PORT/coffee" | |
| curl -i -u user1:password1 -H "Host: cafe.example.com" http://$GW_IP:$GW_PORT/coffee |
| Since tea has no AuthenticationFilter attached, responses are processed normally: | ||
|
|
||
| ```shell | ||
| curl -i -H "Host: cafe.example.com" http://$GW_IP:$GW_PORT/coffee |
There was a problem hiding this comment.
the curl is for coffee
| curl -i -H "Host: cafe.example.com" http://$GW_IP:$GW_PORT/coffee | |
| curl -i -H "Host: cafe.example.com" http://$GW_IP:$GW_PORT/tea |
salonichf5
left a comment
salonichf5
left a comment
There was a problem hiding this comment.
To make this easier for users, let’s ensure every curl command is copy/paste ready and works exactly as written. I recommended some edits but it would be better if you cross check again on your end.
Proposed changes
This change adds a new document to the NGF traffic security section, which details on to configure Basic Authentication for NGF using the AuthenticationFilter CR
Closes nginx/nginx-gateway-fabric#4345
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩