That is a good idea, something like this should work (it is just an example...):
Create the htpasswd file:
htpasswd -c /etc/nginx/acme-dns.htpasswd username
Create the nginx conf file:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name auth.domain.tld;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
location /register {
proxy_pass http://localhost:8080/register;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "acme-dns restricted";
auth_basic_user_file /etc/nginx/acme-dns.htpasswd;
}
location /update {
proxy_pass http://localhost:8080/update;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
and using for example curl to register without username and password:
$ curl -X POST https://auth.domain.tld/register
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
and using the right user and password:
$ curl -u username:password -X POST https://auth.domain.tld/register
{"username":"120df7c5-2gb8-4ef3-875e-fec18ffbf714","password":"aMOPy2PYIrzLlfnOf7CTGfVBIrlyP_yE8mpxTdb6","fulldomain":"e8fe56ea-2157-4f39-a780-3800bc912c8c.auth.domain.tld","subdomain":"e8fe56ea-2157-4f39-a780-3800bc912c8c","allowfrom":[]}