How to password protect a directory or website with HTTP Authentication – Nginx

share on:
how to password protect a directory

There are many reasons to use HTTP Authentication on your website. For example, you don’t want google bots to crawl and index yours under development website. (Bad for SEO)

Also, You can password protect a directory to allow only specific users to get access to that folder on your website. HTTP authentication will protect your website or specific folder with a password.

HTTP Authentication with Nginx.

NGINX is a free, open-source HTTP server and reverse proxy server which is easy to configure. It has a  low resource consumption and uses an event-driven architecture to handle requests.

Applying HTTP authentication to password protect a folder or a website is easy.

I will do this HTTP Authentication setup using a DigitalOcean server. If you don’t have a VPS and want to test this setup then you can get a free coupon to test DigitalOcean VPS for 2 months by clicking here.

 

About this guide.

 

Install Necessary packages.

We will use htpasswd to creating the encrypted password for our user.

  • For Ubuntu 16.04/Debian 7,8.

In ubuntu 16.04/Debian 8, htpasswd is a part of apache2-utils package. Install apache2-utils using the command below.

If you don’t know the complete name of the package then you can find it by using the following commands.

shell> apt-cache search apache2 | grep ^apache2

 

command to use > apt-cache search apache2 | grep ^apache2

 

 shell> sudo apt-get install apache2-utils

 

  • For CentOS 7/RHEL 7/Fedora 23,24.

In CentOS 7/RHEL 7/Fedora 23,24, htpasswd is a part of httpd-tools package. Install httpd-tools using the command below.

shell> yum whatprovides */htpasswd

 

Search the package for htpaswd command.

 shell> yum install httpd-tools

 

 

Create User and Password for HTTP Authentication.

Create a hidden “.ngxpasswd” file under /etc/nginx or any other secure location where nginx can get access to it.

The procedure is same for all the Linux distributions whether it’s CentOS 7, Ubuntu 16.04, Debian or Fedora.

we will create a file to store the encrypted password for the user.

In this example, we will create a hidden file named .ngxpasswd in /etc/nginx directory. This file will store login credentials for user priv_user.

shell> htpasswd -c /etc/nginx/.ngxpasswd priv_user
New password:
Re-type new password:
Adding password for user priv_user

 

The -c flag creates the file /etc/nginx/.ngxpasswd. Use this option for the first time only. Once the file is created you don’t need to use -c flag.

Now if we take a look at this file then we will see the encrypted version of our password.

shell> cat /etc/nginx/.ngxpasswd
priv_user:$ahrq$UbYTkRtlm$oHahiXnUmOa29/JWm1X3/

 

 

Create more users for HTTP Authentication.

Also, You can create more users by using the same command but without -c flag as we have already created the file.

shell> htpasswd /etc/nginx/.ngxpasswd priv_user1
New password:
Re-type new password:
Adding password for user priv_user1

 

Take a look again into the new file.

shell> cat /etc/nginx/.ngxpasswd
priv_user:$apr1$UbYTkCBm$oHEEtCanUm1a7S/UFm0S3/
priv_user1:$apr1$Q3d246z4$4TFTfDa6rZHMjB1Tp668o1

 

Note: that this htpasswd should be accessible by the Nginx user.

 

Change HTTPD User Password.

To update or change a password for user priv_user1, use the following commands.

First of all, check the password hash for user priv_user1.

shell> cat /etc/nginx/.ngxpasswd
priv_user1:$apr1$EGkv9KIk$.G/qZgM2Gr1CIVUVGeFz//

 

Update the Password for the user priv_user1.

shell> htpasswd /etc/nginx/.ngxpasswd priv_user1
New password:
Re-type new password:
Updating password for user priv_user1

 

let’s check again the password hash for user priv_user1.

shell> cat /etc/nginx/.ngxpasswd
priv_user1:$apr1$KJfxUyTa$xj0H4U8deAAiOEtmjTBrs0

 

 

Secure your HTTP Authentication Password file.

Now we also need to protect our file. We will give this file appropriate permissions.

shell> chmod 600 /etc/nginx/.ngxpasswd

 

Also, make this file immutable to protect it from accidental change. No one will be able to edit this file. Not even root user without changing the file attributes first.

shell> chattr +i /etc/nginx/.ngxpasswd

 

Check the file attributes with lsattr command.

shell> lsattr .ngxpasswd
----i--------e-- .ngxpasswd

 

Additionally, if you want to edit this file again, change the attributes of this file first.

shell> chattr -i /etc/nginx/.ngxpasswd

 

 

Apply the HTTP Authentication to your website.

Now to the important question. what part of the website you want to secure?

 

Case 1: If you want to apply authentication to the whole website.

To do that, edit your nginx configuration file. I am assuming here that it is /etc/nginx/nginx.conf.
under the server block

server {
     .....
     .....
     location \ {
            root  /document/root/your-website.com; 
            index   index.php  index.html  index.htm;
            auth_basic  "Authorized users only!"; 
            auth_basic_user_file  /etc/nginx/.ngxpasswd; 
           } 
}

 

 

Case 2: If you want to protect wp-admin only from unauthorized access.

To do that edit your config file and create a new location block for wp-admin.

server {
 ..... 
....
location ^~ /wp-login.php {
                auth_basic "Authorized users only!";
                auth_basic_user_file /etc/nginx/.htpasswd;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass 127.0.0.1:9000;  #if you are using TCP port other than 9000 than replace it here.
                # fastcgi_pass unix:/var/run/php5-fpm.sock;   # Uncomment this line if you are using unix socket instead of TCP port.
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $request_filename;
        }
}

 

 

Check for any syntax errors.

shell > nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

 

Finally, Reload the Nginx configuration.

shell> nginx -s reload

 

 

Testing the HTTP Authentication.

Now Try to get access to your website or the specific URL to a folder that you want to password protect. You will see a browser prompt like this.

Password protect a directory with http authentication.

Another HTTP authentication example of password protection of wp-admin.

Http authentication.

Enter the details that you used while creating the users in /etc/nginx/.ngxpasswd file. The prompt will not allow you to access the website till you enter the right credentials.

If you fail to provide the right credentials then you will be locked out of the site.

Protect a directory with http authentication.

Additionally, if you want to protect your auth based website or folder from brute force attacks then you should use Fail2ban jail.

How to put HTTP Authenticated folders in Fail2ban jail.

Also, If you have any other question about HTTP authentication then feel free to ask them in the comments section.

Thanks for visiting this page. Do share it with you friends and social network and Have a Good day. 🙂

share on:
engy

engy

Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: