search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.12k stars 339 forks source link

[enhancement] Harden authentication #75

Closed thelittlefireman closed 3 years ago

thelittlefireman commented 3 years ago

hi, could it be possible to add digest authentication or JWT ? (https://www.nginx.com/resources/wiki/modules/auth_digest/)[https://www.nginx.com/resources/wiki/modules/auth_digest/] (https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/)[https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/]

Basic Auth is realy anoying with some js website. It will answer/popup authentication for about every request. Moreover basic authentication send user and password as plaintext. It's ok if ssl is configure but on http only it's a security issue.

Thanks for all :) ps : maybe i will find some time to make an other PR

thelittlefireman commented 3 years ago

Or maybe we could integrate Authelia :) https://www.authelia.com/docs/getting-started.html

Seems to be a really good authentication framework (natively works with nginx)

I don't know if we should integrate Authelia in the docker (delay in futher update, harder to be configure and tweak by users), or just auto add authelia nginx configuration ?

fl0ppy-d1sk commented 3 years ago

Hey @thelittlefireman,

Authelia support is now added into bunkerized-nginx (see docs and example). Thanks again for your suggestion.