$remote_user

Description

In NGINX, the $remote_user variable is set when the server is configured to use HTTP Basic Authentication. This occurs when the `auth_basic` directive is used in a configuration block, prompting clients to enter a username and password. The username entered by the client is then made available to the server and can be accessed through the $remote_user variable. If the client does not authenticate successfully or if the request does not require authentication, $remote_user will be empty. Typically, the $remote_user variable is used in logging or for authorization purposes within server configurations. It can be included in custom log formats, allowing administrators to track who is accessing certain resources. Additionally, this variable can influence access control decisions in combination with conditional configuration directives, enabling or denying access based on the authenticated user's identity. This variable is primarily useful in scenarios where security is critical, such as when exposing sensitive data or services that require user identification for access control. However, it should be noted that this information might be sensitive, and using it in logs should be done with consideration for privacy and security practices, ensuring that access logs do not expose personally identifiable information.

Config Example

http {
    server {
        listen 80;
        server_name example.com;

        location / {
            auth_basic "Restricted Area";
            auth_basic_user_file /etc/nginx/.htpasswd;
            access_log /var/log/nginx/access.log combined;
            
            # Include the remote_user in the log
            log_format combined '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
        }
    }
}