Massed Compute Icon

Massed Compute

Setup Nginx Authentication Gateway with Basic Auth on Ubuntu (2026 Guide) banner image

Deploy Nginx Authentication Gateway on Ubuntu (2026 Guide)

HomeBlogRecipesDeploy Nginx Authentication Gateway on Ubuntu (2026 Guide)
Sunny Smith, Co-Founder, Massed Compute June 2026

Protect web dashboards, admin panels, and internal applications with Nginx HTTP Basic Auth and IP allowlisting. Deploy a secure authentication gateway on Ubuntu 22.04 that adds login prompts to any upstream service.

nginx authentication security ubuntu reverse-proxy
⚡ MCP AUTOMATION

This entire deployment exists as a tested, machine-readable recipe in the Massed Compute MCP. Connect an AI assistant to vm.massedcompute.com/api/mcp and deploy with a single natural language request.

Adding authentication to web applications that lack built-in login systems is a common need. Whether you’re protecting a monitoring dashboard, admin interface, or internal tool, Nginx can provide that security layer as a reverse proxy.

This guide walks through setting up Nginx as an authentication gateway using HTTP Basic Auth (username/password prompts) and IP allowlisting. The proxy sits in front of your application, handling authentication before forwarding requests to the upstream service.

Tech Stack

Component Version Purpose
Ubuntu Server 22.04 LTS Base operating system
Nginx Latest stable Reverse proxy and auth gateway
apache2-utils Latest Provides htpasswd for credential management

Requirements

Item Specification Notes
SSH Key RSA or Ed25519 Required for secure VM access
Upstream Service HTTP on localhost Application to protect (port required)
Auth Method Basic Auth and/or IP allowlist Choose protection strategy
TLS Certificate Recommended for production Prevents credential interception
Security Note: Basic Auth sends credentials in base64 encoding. For production deployments facing the internet, implement TLS encryption to protect credentials in transit.
Current Pricing

Massed Compute VM Pricing

Pricing fetched from the Massed Compute inventory API on June 18, 2026.
SKU Description vCPU RAM Storage Price Capacity
cpu_mini_amd_epyc Mini AMD EPYC 8 32 GiB 400 GB $0.12/hr 38
cpu_small_amd_epyc Small AMD EPYC 14 40 GiB 800 GB $0.22/hr 38
cpu_medium_amd_epyc Medium AMD EPYC 28 80 GiB 1600 GB $0.44/hr 20
cpu_large_amd_epyc Large AMD EPYC 52 160 GiB 3200 GB $0.82/hr 8
cpu_x_large_amd_epyc X-Large AMD EPYC 100 320 GiB 6400 GB $1.56/hr 4
cpu_dedicated_amd_epyc Dedicated AMD EPYC 126 440 GiB 10000 GB $1.98/hr 3

Step-by-Step Deployment

1

Launch Ubuntu VM

Create a new Ubuntu 22.04 instance with at least 2 vCPUs and 2GB RAM. The cpu_mini_amd_epyc SKU provides ample resources for most authentication gateway workloads.

curl -X POST https://api.massedcompute.com/v1/instances \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "sku": "cpu_mini_amd_epyc",
    "image": "ubuntu-22.04",
    "sshKeys": ["your-ssh-key-name"]
  }'
2

Connect via SSH

Wait for the instance to reach Running status, then connect using the provided IP address and your SSH key.

ssh ubuntu@YOUR_VM_IP
3

Install Required Packages

Update the package list and install Nginx along with apache2-utils for password file management.

sudo apt-get update
sudo apt-get install -y nginx apache2-utils
4

Create Basic Auth Credentials

Generate the password file with your first user. The -c flag creates a new file for the initial user.

sudo htpasswd -c /etc/nginx/.htpasswd admin
# Enter password when prompted

# Add additional users (without -c flag)
sudo htpasswd /etc/nginx/.htpasswd developer

Secure the password file permissions:

sudo chown root:www-data /etc/nginx/.htpasswd
sudo chmod 640 /etc/nginx/.htpasswd
5

Configure Nginx Proxy

Create the Nginx configuration file for your authentication gateway. Replace 3000 with your upstream service port.

sudo tee /etc/nginx/sites-available/auth-gateway << 'EOF'
server {
    listen 80;
    server_name _;

    # Optional: IP allowlist (uncomment and modify)
    # allow 203.0.113.42;     # Your office IP
    # allow 10.0.0.0/8;       # Private network range
    # deny all;

    location / {
        # HTTP Basic Auth
        auth_basic "Protected Area";
        auth_basic_user_file /etc/nginx/.htpasswd;

        # Proxy to upstream service
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
EOF
6

Enable and Start Services

Activate the new configuration and restart Nginx to apply changes.

sudo ln -s /etc/nginx/sites-available/auth-gateway /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl reload nginx
sudo systemctl enable nginx
7

Start Your Application

Launch your upstream service on the configured port (localhost:3000 in this example). The application should bind to localhost only—Nginx handles external access.

# Example: Start a simple Python server for testing
python3 -m http.server 3000 --bind 127.0.0.1
8

Test Authentication

Access your VM’s IP address in a browser. You should see a login prompt. Enter the credentials created in step 4 to access your application.

curl -u admin:your-password http://YOUR_VM_IP/

Troubleshooting

Login Prompt Not Appearing

Check the Nginx configuration syntax and service status:

sudo nginx -t
sudo systemctl status nginx
sudo journalctl -u nginx -f

403 Forbidden Errors

Verify password file permissions and content:

sudo ls -la /etc/nginx/.htpasswd
sudo cat /etc/nginx/.htpasswd

Upstream Connection Failed

Ensure your application is running and listening on localhost:

sudo netstat -tlnp | grep :3000
curl http://localhost:3000/

IP Allowlist Issues

Check your source IP and confirm allowlist configuration:

curl ifconfig.me  # Check your public IP
sudo tail -f /var/log/nginx/access.log

Skip All of This: Deploy with an AI Agent

This entire guide exists as a tested, machine-readable recipe in the Massed Compute MCP. Instead of running commands manually, connect an AI assistant and deploy with natural language.

Add this configuration to your MCP client:

{
  "mcpServers": {
    "massed-compute": {
      "type": "http",
      "url": "https://vm.massedcompute.com/api/mcp",
      "headers": { "Authorization": "Bearer MC_TOKEN" }
    }
  }
}

Then say:

“Set up an Nginx authentication gateway on Ubuntu to protect my Node.js dashboard running on port 3000. I need Basic Auth with username ‘admin’ and IP allowlist for my office IP 203.0.113.42.”

The agent matches your request against the recipe catalog, provisions the right VM size, runs the setup and verification steps above, and reports back with the result. If any step fails, it stops and provides debugging information rather than continuing with a broken configuration.

This recipe was last tested on May 29, 2026.

Ready to Deploy Your Authentication Gateway?

Get started with Massed Compute’s high-performance Ubuntu VMs. Deploy in minutes with our simple API or AI-powered automation.

Think it. Build it. Scale it.

Start Building Read the Docs

Quick Setup Reference

For experienced users, here’s the condensed deployment sequence:

# 1. Launch VM and connect
ssh ubuntu@YOUR_VM_IP

# 2. Install packages
sudo apt-get update && sudo apt-get install -y nginx apache2-utils

# 3. Create credentials
sudo htpasswd -c /etc/nginx/.htpasswd admin
sudo chown root:www-data /etc/nginx/.htpasswd && sudo chmod 640 /etc/nginx/.htpasswd

# 4. Configure proxy (edit upstream port as needed)
sudo tee /etc/nginx/sites-available/auth-gateway << 'EOF'
server {
    listen 80;
    server_name _;
    location / {
        auth_basic "Protected Area";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
EOF

# 5. Enable and test
sudo ln -s /etc/nginx/sites-available/auth-gateway /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl reload nginx

Frequently Asked Questions

01 Can I use both Basic Auth and IP allowlisting together?

Yes, you can combine both methods. IP allowlisting runs first (blocking unauthorized IPs), then Basic Auth prompts allowed IPs for credentials. This provides defense in depth—even if credentials are compromised, access is still limited by IP.

02 How do I add SSL/TLS encryption to protect credentials?

For production deployments, obtain an SSL certificate (Let’s Encrypt or commercial) and configure HTTPS in Nginx. This prevents credential interception since Basic Auth sends passwords in base64 encoding. Consider using a separate SSL termination recipe or load balancer.

03 What happens if my upstream service goes down?

Nginx will return a 502 Bad Gateway error when it can’t connect to the upstream service. Users will still see the login prompt, but after authentication they’ll get the error page. Monitor your upstream service and configure appropriate health checks.

04 Can I protect multiple applications with different credentials?

Yes, create separate server blocks or location blocks in Nginx, each with their own auth_basic_user_file directive pointing to different htpasswd files. You can also use different IP allowlists for different applications based on access requirements.

05 How do I manage user passwords and rotate credentials?

Use htpasswd to add, remove, or update users. To change a password, run sudo htpasswd /etc/nginx/.htpasswd username and enter the new password. Remove users with sudo htpasswd -D /etc/nginx/.htpasswd username. Nginx automatically picks up changes without restart.

Recent Posts

Categories

Tags

, , , , ,

Search