How to password protect a directory or website with HTTP Authentication – Nginx

share on:
how to password protect a directory

There are many reasons to use HTTP Authentication on your website. For example, you don’t want google bots to crawl and index yours under development website. (Bad for SEO)

Also, You can password protect a directory to allow only specific users to get access to that folder on your website. HTTP authentication will protect your website or specific folder with a password.

HTTP Authentication with Nginx.

NGINX is a free, open-source HTTP server and reverse proxy server which is easy to configure. It has a  low resource consumption and uses an event-driven architecture to handle requests.

Applying HTTP authentication to password protect a folder or a website is easy.

I will do this HTTP Authentication setup using a DigitalOcean server. If you don’t have a VPS and want to test this setup then you can get a free coupon to test DigitalOcean VPS for 2 months by clicking here.


About this guide.


Install Necessary packages.

We will use htpasswd to creating the encrypted password for our user.

  • For Ubuntu 16.04/Debian 7,8.

In ubuntu 16.04/Debian 8, htpasswd is a part of apache2-utils package. Install apache2-utils using the command below.

If you don’t know the complete name of the package then you can find it by using the following commands.

shell> apt-cache search apache2 | grep ^apache2


command to use > apt-cache search apache2 | grep ^apache2


 shell> sudo apt-get install apache2-utils


  • For CentOS 7/RHEL 7/Fedora 23,24.

In CentOS 7/RHEL 7/Fedora 23,24, htpasswd is a part of httpd-tools package. Install httpd-tools using the command below.

shell> yum whatprovides */htpasswd


Search the package for htpaswd command.

 shell> yum install httpd-tools



Create User and Password for HTTP Authentication.

Create a hidden “.ngxpasswd” file under /etc/nginx or any other secure location where nginx can get access to it.

The procedure is same for all the Linux distributions whether it’s CentOS 7, Ubuntu 16.04, Debian or Fedora.

we will create a file to store the encrypted password for the user.

In this example, we will create a hidden file named .ngxpasswd in /etc/nginx directory. This file will store login credentials for user priv_user.

shell> htpasswd -c /etc/nginx/.ngxpasswd priv_user
New password:
Re-type new password:
Adding password for user priv_user


The -c flag creates the file /etc/nginx/.ngxpasswd. Use this option for the first time only. Once the file is created you don’t need to use -c flag.

Now if we take a look at this file then we will see the encrypted version of our password.

shell> cat /etc/nginx/.ngxpasswd



Create more users for HTTP Authentication.

Also, You can create more users by using the same command but without -c flag as we have already created the file.

shell> htpasswd /etc/nginx/.ngxpasswd priv_user1
New password:
Re-type new password:
Adding password for user priv_user1


Take a look again into the new file.

shell> cat /etc/nginx/.ngxpasswd


Note: that this htpasswd should be accessible by the Nginx user.


Change HTTPD User Password.

To update or change a password for user priv_user1, use the following commands.

First of all, check the password hash for user priv_user1.

shell> cat /etc/nginx/.ngxpasswd


Update the Password for the user priv_user1.

shell> htpasswd /etc/nginx/.ngxpasswd priv_user1
New password:
Re-type new password:
Updating password for user priv_user1


let’s check again the password hash for user priv_user1.

shell> cat /etc/nginx/.ngxpasswd



Secure your HTTP Authentication Password file.

Now we also need to protect our file. We will give this file appropriate permissions.

shell> chmod 600 /etc/nginx/.ngxpasswd


Also, make this file immutable to protect it from accidental change. No one will be able to edit this file. Not even root user without changing the file attributes first.

shell> chattr +i /etc/nginx/.ngxpasswd


Check the file attributes with lsattr command.

shell> lsattr .ngxpasswd
----i--------e-- .ngxpasswd


Additionally, if you want to edit this file again, change the attributes of this file first.

shell> chattr -i /etc/nginx/.ngxpasswd



Apply the HTTP Authentication to your website.

Now to the important question. what part of the website you want to secure?


Case 1: If you want to apply authentication to the whole website.

To do that, edit your nginx configuration file. I am assuming here that it is /etc/nginx/nginx.conf.
under the server block

server {
     location \ {
            root  /document/root/; 
            index   index.php  index.html  index.htm;
            auth_basic  "Authorized users only!"; 
            auth_basic_user_file  /etc/nginx/.ngxpasswd; 



Case 2: If you want to protect wp-admin only from unauthorized access.

To do that edit your config file and create a new location block for wp-admin.

server {
location ^~ /wp-login.php {
                auth_basic "Authorized users only!";
                auth_basic_user_file /etc/nginx/.htpasswd;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass;  #if you are using TCP port other than 9000 than replace it here.
                # fastcgi_pass unix:/var/run/php5-fpm.sock;   # Uncomment this line if you are using unix socket instead of TCP port.
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $request_filename;



Check for any syntax errors.

shell > nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


Finally, Reload the Nginx configuration.

shell> nginx -s reload



Testing the HTTP Authentication.

Now Try to get access to your website or the specific URL to a folder that you want to password protect. You will see a browser prompt like this.

Password protect a directory with http authentication.

Another HTTP authentication example of password protection of wp-admin.

Http authentication.

Enter the details that you used while creating the users in /etc/nginx/.ngxpasswd file. The prompt will not allow you to access the website till you enter the right credentials.

If you fail to provide the right credentials then you will be locked out of the site.

Protect a directory with http authentication.

Additionally, if you want to protect your auth based website or folder from brute force attacks then you should use Fail2ban jail.

How to put HTTP Authenticated folders in Fail2ban jail.

Also, If you have any other question about HTTP authentication then feel free to ask them in the comments section.

Thanks for visiting this page. Do share it with you friends and social network and Have a Good day. 🙂

share on:


Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: