Synchronize Nextcloud authentication data/backend with NGINX basic auth password file

I would like to know if it is possible and if so, how to synchronize Nextcloud authentication data/backend with NGINX basic auth password file.

Use case:

  • Lets have a reverse proxy connected to the Internet, serving the instance nextcloud.example.com
  • The server itself lives on internal network behind DNS split horizon (which may not be important now, but worth to mention)
  • Users connecting from internal network are treated as trusted so they can connect the internal server directly (the Nextcloud PHP instance is exposed without any extra added protection)
  • Users connecting from the Internet are however evils and are trying to hack/crack to naked Nextcloud PHP instance, therefore the NGINX reverse proxy employs simple Basic HTTP Authentication to prevent the evils to play with PHP hacks.

Apparently it is now obvious what is my problem. In order to fully use the Nextcloud (WebDAV & friends) The reverse proxy need to be able to authenticate the same users and credentials as the internal Nextcloud instance does.

The use case is proven and works. It however requires that the reverse proxy has up-to-date basic auth file (which I am updatin now manulay).

Is there any possibility to export the internal Nextcloud ‘user credentials’ database to ‘htpasswd’ format/file?

I am not sure if the hashed passwords are compatible (apache says it can be compatible with bcrypt but I am not sure if that is possible on all systems):
https://httpd.apache.org/docs/current/en/programs/htpasswd.html

If this works, you could export the user names with password hashes to your nginx proxy. Though it is not very elegant. It would be better to use one single authentication backend, so either use Nextcloud itself (and ask the reverse proxy to check the authentication against Nextcloud), or use a different one which is usable by both, e.g. LDAP.

Keep in mind, that it can be problematic if you want to use 2-Factor-Authentication or app passwords.