Password protect access to forum

mattdjuk

Hi
I want to password protect access to my forum - so a prompt for creds in advance of even seeing the forum. I have added this feature in NGINX, and it does what I expect in terms of prompting before access. My problem is, that when I add this, I get caught in a loop with the following message continously displayed:

"It looks like your login session is no longer active. Please refresh this page."

I am then unable to login, or even read the forum without this message appearing.

What can I do about this? Is there another way to protect access?

Thanks in advance
M

PitaJ

Share your nginx config please

phenomlab

@mattdjuk This might be a cleaner way

https://nodebbanswers.nodebb.com/topic/4/force-user-login

Normando

@phenomlab wowwww, it is new??? Very nice

phenomlab

@Normando Dunno - I stumbled across it a while back looking for something else

julian

@phenomlab one could argue that there is nothing cleaner than basic auth from a web server

phenomlab

@julian true, yes, but cleaner in my view at application level

gotwf

@julian said in Password protect access to forum:

@phenomlab one could argue that there is nothing cleaner than basic auth from a web server

@phenomlab said in Password protect access to forum:

@julian true, yes, but cleaner in my view at application level

Certainly both can be argued as true. My understanding of security best practices is generally speaking to block the bad stuff as far upstream as operationally feasible. Hence, if asked, I would recommend enforcing at the web sever level.

Additionally, in keeping with best practices, had I cause to be extra paranoid and/or protecting some "higher" value asset, I would recommend also enforcing/checking the policy once again at the app level. Layered onions, and all that.

So, like many things, not a simple either/or. Unless you want it to be? Seeing the simplicity in the complex is also desirable trait cuz your security posture also needs to be maintainable. For you and your resource commitment levels, eh?

Have a groovy day.

ezze

Hi, guys!
I found this topic experiencing the same nginx problem as described above. I bet it's a usual experience to guard a web resource on a server level. Just redirecting a user to another page doesn't resolve security concerns. It would be great if you won't leave but address this issue.
Really appreciate your work anyway!

ezze

@PitaJ said in Password protect access to forum:

Share your nginx config please

@PitaJ The relevant part of my nginx config looks like this:

	location / {
		auth_basic "What is essential is invisible to the eye";
		auth_basic_user_file /etc/apache2/.htpasswd;