Notes

Nginx auth with IP whitelists

June 29, 2019

I was looking into a way to configure Nginx to require basic HTTP authentication but to skip authentication for specific IP addresses. I was also running Nginx behind Cloudflare, which obscures the caller IP address. The normal way of reading IP addresses wouldn’t work, so I had to switch up the IP address whitelist to read from a Cloudflare-set header CF-Connecting-IP.

# Create a map of IP addresses to auth configuration
map $http_cf_connecting_ip $auth {
# Whitelisted ip address has auth off
"<Whitelisted IP Address>"  "off";
# Otherwise, auth is enabled
default                     "Authentication Required";
}

server {
...

# Enable HTTP authentication
auth_basic           $auth;
# Set a file with username/password data
auth_basic_user_file <path to auth file>;

...
}