Unrestricted access to NGINX+ Dashboard
Description
NGINX Plus is a commercial web server, load balancer, and content cache that extends the open-source NGINX with enterprise features including a Live Activity Monitoring dashboard. This dashboard provides real-time visibility into server performance, traffic metrics, and system health.
This vulnerability occurs when the NGINX Plus dashboard is accessible without authentication, allowing unauthorized users to view sensitive operational data. The dashboard was found to be publicly accessible, exposing internal system information that should be restricted to authorized administrators only.
Remediation
Restrict access to the NGINX Plus dashboard by implementing authentication and IP-based access controls. Configure the dashboard location block in your NGINX configuration file to require authentication and limit access to trusted IP addresses.
Add the following directives to your NGINX configuration:
location /api {
# Restrict access by IP address
allow 10.0.0.0/8; # Internal network
allow 192.168.1.0/24; # Admin network
deny all;
# Enable HTTP Basic Authentication
auth_basic "NGINX Plus Dashboard";
auth_basic_user_file /etc/nginx/.htpasswd;
api write=on;
}
location = /dashboard.html {
# Apply same restrictions to dashboard
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;
auth_basic "NGINX Plus Dashboard";
auth_basic_user_file /etc/nginx/.htpasswd;
root /usr/share/nginx/html;
}
Create the password file using htpasswd:
sudo htpasswd -c /etc/nginx/.htpasswd admin
After making changes, test the configuration and reload NGINX:
sudo nginx -t sudo nginx -s reload
Additionally, consider implementing TLS encryption for dashboard access and using more robust authentication mechanisms such as client certificates or integration with enterprise SSO solutions for production environments.