Contents

How to Configure Basic HTTP Authentication in Nginx

04 Aug 2018 3 41  0
How to Configure Basic HTTP Authentication in Nginx
How to Configure Basic HTTP Authentication in Nginx

 

Basic HTTP authentication is a security mechanism to restrict access to your website/application, or some parts of it, by setting up a simple username/password authentication barrier. You can use it to essentially protect the entire HTTP server, or place individual server blocks (virtual hosts in Apache) or location blocks.

Like the name suggests, it isn’t a security method to rely on completely; you need to use it in conjunction with other, more reliable security measures. For example, if your web application is running on HTTP, then user credentials are transmitted in plain text, so you need to consider enabling HTTPS.

This tutorial will help you add a small but useful layer of security to protect private/privileged content on your web applications (such as, but not limited to, administrator sides). You could also use it to stop access to a website or application which is still in the development phase.

Requirements:

LEMP stack in CentOS/RHEL 7

LEMP stack in Ubuntu/Debian

Create HTTP Authentication User File

You can start by creating a file that will store username:password pairs. We are going to use the htpasswd utility from the Apache HTTP Server to create this file.

First confirm that apache2-utils or httpd-tools, the package which provides the htpasswd utility, is installed on your system, otherwise run the appropriate command for your distribution to install it:

[RHEL/CentOS]

yum install httpd-tools  

[Debian/Ubuntu]

sudo apt install apache2-utils

Now, we will run the htpasswd command below to create the password file with the first user. The –c option is used to specify the passwd file. After you hit Enter, you will be prompted to enter the user password.

htpasswd -c /etc/nginx/conf.d/.htpasswd developer

Append a second user, and don’t use the –c option here.

htpasswd /etc/nginx/conf.d/.htpasswd admin

Since you have the password file prepared, continue to configure the parts of your web server that you would like to restrict access to. To view the password file content (which has usernames and encrypted passwords), use the cat command below.

cat /etc/nginx/conf.d/.htpasswd

Configure HTTP Authentication for Nginx

Like we mentioned before, you should be able to restrict access to your web server, a single web site (using its server block), or a location directive. Two useful directives are used to achieve this.

  • auth_basic – turns on validation of user name and password using the “HTTP Basic Authentication” protocol.
  • auth_basic_user_file – specifies the password file.

Password Protect Nginx Virtual Hosts

To implement basic authentication for the entire web server, which applies to every server block, open the /etc/nginx/nginx.conf file and append the lines below in the http context:

http {

auth_basic           "Restricted Access!";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
……...

}

Password Protect Nginx Website or Domain

In order to enable basic authentication for a specific domain or sub-domain, open its configuration file under /etc/nginx/conf.d/ or /etc/nginx/conf/sites-available (depending on how you installed Nginx), then append the configuration below in server block or context:

server {

       listen                                     80;
       server_name      example.com;
       auth_basic                         "Restricted Access!";
       auth_basic_user_file      /etc/nginx/conf.d/.htpasswd;

       location /  {
         ……..
       }

       ……...

}

Password Protect Web Directory in Nginx

You may also enable basic authentication inside a location directive. In the example below, all users trying to access the /admin location block will be asked to authenticate.

server {

listen                                     80;
server_name    example.com www.example.com;
location / {

……..

}

location /admin/ {
auth_basic                         "Restricted Access!";
auth_basic_user_file      /etc/nginx/conf.d/.htpasswd;

}

location /public/{
auth_basic  off; #turns off basic http authentication off for this block

}

……..

}

If you have configured basic HTTP authentication, all users who attempt to access your web server or a sub-domain or a particular part of the site (depending on the location you implemented it) will be prompted for a username and password as shown in the screenshot below.

In case of a failed user authentication, a “401 Authorization Required” error will be displayed.

 

0 Comments
Add a comment

Leave a Reply