Setting up Basic Authentication for QuestDB open source using Nginx

Kovid Rathee
Guest post
This post comes from Kovid Rathee, who has put together a tutorial to show how to add extra security by implementing Nginx Basic Authentication for QuestDB open source.
#
IntroductionData privacy and security is one of the most critical areas of concern when working with any data. This is even more true for time-series databases because a lot of time-series data deals with highly essential financial, geospatial, and medical data, among many others.
While QuestDB open source has already added authentication on top of the InfluxDB line protocol to secure your time-series data ingestion workloads into QuestDB, you might need more layers of security, mainly to prevent unauthorized access to your critical data from your QuestDB web console.
There are several ways to achieve this, such as SSH tunneling, OAuth, token-based auth, etc. However, this article will take you through the most straightforward authentication setup of them so that you can get started with basic authentication with minimal effort using Nginx.
tip
While you can set up authentication for QuestDB open source, QuestDB Cloud offers built-in authentication that offers a hassle-free, Out-of-the-Box solution.
#
How Basic Authentication Works in NginxNginx is a multi-purpose application that can be used as a reverse proxy, a load balancer, or an HTTP cache. This means if you direct all your incoming traffic for QuestDB to Nginx, it can decide what action to take on that request.
Nginx Basic Authentication is a way to implement a fundamental authentication mechanism. In case of a successful login request, you’ll be redirected from the default HTTP port to the port on which your QuestDB server is running.
Note: On top of the Basic Authentication, you should also configure SSL/HTTPS on top for additional security. You can download free SSL/TLS certificates from LetsEncrypt.
#
Steps for Setting up Basic Authentication for QuestDB open source using Nginx#
Step 1. Install QuestDB open sourceYou can install QuestDB open source on your local instance or a production system in several ways. Your installation method doesn’t impact your basic authentication setup using Nginx. You'll be good to go if you have QuestDB up and running. In this tutorial, we’ll install QuestDB using Homebrew, using the following command:
Once the installation is complete, QuestDB automatically starts and is available on http://localhost:9000. To ensure that the installation has gone right, please visit this address and see if you can access the QuestDB console.
#
Step 2. Install NginxTo set up Basic Authentication using Nginx, you need to install Nginx on your system. Using Homebrew, you can do that by simply running the following command:
After the installation, please ensure that Nginx is up and running by visiting http://localhost:8080.
#
Step 3. Configure Nginx to require Basic Authentication for QuestDB open source#
Step 3a. Create a Username and PasswordWhen you configure Nginx to force authentication, you’ll need a username and password combination to log into QuestDB. The first step is to create that username and password combination using the following htpasswd
command.
The home directory, i.e., in this case, /usr/local/etc/,
might be something else for another platform like CentOS, Ubuntu, etc. It’s best just to run the following command to test your configuration file and find out what the installation path is:
This command will give you an output will all the different paths that Nginx is using:
Once you're done with this basic check, you can start with the configuration.
nginx.conf
to Require Basic Authentication & Redirect#
Step 3b. Modify To implement Basic Authentication properly, you must understand what Nginx does. To add a layer of security, all your requests on a certain port (in this case, port 80) will go to Nginx first. They will then be redirected to port 9000, where you have a QuestDB instance running.
The redirection will be contingent upon whether you can provide Nginx with the correct username and password combination you had created earlier.
Take the default nginx.conf
file and remove all the comments. Firstly, in the server
section, change the value of listen
from 8080 to 80 if you want to redirect to QuestDB whenever someone types localhost
(as 80 is the default HTTP port). Secondly, replace the location
section with the following:
You'll probably be dealing with a lot of data in the web console, and you might need to download it to your local machine. For such use cases, you can modify the default value of the proxy_read_timeout
variable from 60 to 300 (or a value that makes sense for your use case). You can, similarly, set the proxy_send_timeout
and proxy_connect_timeout
.
This is where you’re telling Nginx to force authentication based on your password stored in the .htpasswd
file in your Nginx home directory. The full `nginx.conf` file looks something like the following:
#
Step 3c. Reload Nginx ConfigurationOnce you make the necessary changes to your Nginx configuration file mentioned in the previous step, you’ll be ready to reload or restart the Nginx server for the configuration changes to take effect.
Ensure that you've blocked any direct access to your QuestDB web console using a software-based firewall, such as
iptables
. If you configure your firewall to deny traffic on a certain port, Nginx will still be able to redirect you to that.
Alternatively, you can set the http.bind.to
variable in your QuestDB server.conf
file to 127.0.0.1
ensuring that QuestDB rejects the requests coming directly from the internet, and only allows requests that are proxied via Nginx.
You can find your
server.conf
file in your Homebrew QuestDB installation directory --/usr/local/var/questdb/conf
. This directory might differ on different OS and Homebrew versions.
You can use one of the following commands for reloading the Nginx configuration:
Here’s what the output of the commands mentioned above will look like:
#
Step 4. Verify if Basic Authentication is working while accessing QuestDB open sourceAfter reloading the configuration file, open a new tab in your browser to test if the redirection and authentication are working correctly.
localhost
points to QuestDB based on the nginx.conf
.
If localhost
binding is working correctly, you should see the following screen asking for your username and password to log into QuestDB:
Once you enter your username and password, Nginx will go back to .htpasswd
to verify whether you’ve entered the correct credentials. If the authentication succeeds, you’ll be able to log onto QuestDB and carry on with your work, as shown below:
However, if the authentication fails, you’ll see the following screen with an HTTP 401 specifying that you need the authorization to access localhost
.
If you end up getting an HTTP 401, recheck your username and password combination. If it is still not working, try creating another user or resetting the password for your current user using the htpasswd
command-line tool.
#
ConclusionNginx Basic Authentication is a short-term solution to ensure that your data is safe and protected from unauthorized access. This tutorial took you through the steps required to set up authentication for QuestDB open source by simply installing Nginx and making a few changes in the configuration file.
Although Nginx Basic Authentication is not the recommended method for authentication and authorization, it is the quickest to set up. In the longer term, you might want to use a solution like LDAP-based solution, OAuth/OIDC, and so on.