diff --git a/content/ngf/traffic-security/basic-authentication.md b/content/ngf/traffic-security/basic-authentication.md new file mode 100644 index 000000000..dbb3af97b --- /dev/null +++ b/content/ngf/traffic-security/basic-authentication.md @@ -0,0 +1,365 @@ +--- +title: Configure basic authentication +weight: 800 +toc: true +nd-content-type: how-to +nd-product: FABRIC +--- + + +This page describes how to configure basic authentication in NGINX Gateway Fabric using the AuthenticationFilter custom resource definition (CRD). + +Authentication can be used to secure applications and APIs, ensuring only trusted and authorized users have access. + +By following these instructions, you will create two sample application endpoints. One will include basic authentication and the other will not, allowing you to review how each behaves. + +## Before you begin + +- [Install]({{< ref "/ngf/install/" >}}) NGINX Gateway Fabric. + +## Setup + +In this part of the document, we will set up several resources in your cluster to demonstrate usage of the AuthenticationFilter CRD. + +## Deploy sample applications + +To deploy the `coffee` and `tea` applications, run the following YAML with `kubectl apply`: + +```yaml +kubectl apply -f - < +``` + +## Create a user credentials secret and AuthenticationFilter + +Deploy a secret with user credentials, and the AuthenticationFilter by running the following YAML with `kubectl apply`: + +{{< call-out "important" >}} Ensure the secret deployed is of type `nginx.org/htpasswd` and the key is `auth` {{< /call-out >}} + +```yaml +kubectl apply -f - < +``` + +## Deploy a HTTPRoute referencing the AuthenticationFilter + +Deploy a HTTPRoute resource which references the AuthenticationFilter using the `ExtensionRef` filter type. + +In this example, the filter is applied to the `/coffee` path: run the following YAML with `kubectl apply` + +```yaml +kubectl apply -f - < +``` + +## Verify Basic Authentication + +{{< call-out "note" >}} + +Your clients should be able to resolve the domain name "cafe.example.com" to the public IP of the NGINX Service. + +This guide simulates it using curl's `--resolve` option. + +{{< /call-out >}} + +Accessing `/coffee` with valid credentials: + +```shell +curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -u user1:password1 +``` + +Response: + +```text +Server address: 10.244.0.7:8080 +Server name: coffee-654ddf664b-nhhvr +Date: 06/Jan/2026:15:20:15 +0000 +URI: /coffee +Request ID: 13a925b2514b62c45ea4a79800248d5c +``` + +Accessing `/coffee` without credentials: + +```shell +curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee +``` + +Response: + +```text + +401 Authorization Required + +

401 Authorization Required

+
nginx
+ + +``` + +Accessing `/coffee` with incorrect credentials: + +```shell +curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -u user1:wrong +``` + +Response: + +```text + +401 Authorization Required + +

401 Authorization Required

+
nginx
+ + +``` + +Accessing `/tea` + +Since tea has no AuthenticationFilter attached, responses are processed normally: + +```shell +curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/tea +``` + +Response: + +```text +Server address: 10.244.0.10:8080 +Server name: tea-75bc9f4b6d-ms2n8 +Date: 06/Jan/2026:15:36:26 +0000 +URI: /tea +Request ID: c7eb0509303de1c160cb7e7d2ac1d99f +``` + + +## Troubleshooting + +- Ensure the HTTPRoute is Accepted and references the correct AuthenticationFilter name and group. +- Confirm the secret key is named `auth` and is of type `nginx.org/htpasswd`. +- Ensure the secret referenced by the AuthenticationFilter is in the same namespace. + +## Further reading + +- [Example deployment files for AuthenticationFilter](https://github.com/nginx/nginx-gateway-fabric/tree/main/examples/basic-authentication) +- [NGINX HTTP Basic Auth Module](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html)