Join the community today
Register Now

Nginx How to properly password protect a directory or file?

Discussion in 'Centmin Mod Insights' started by rdan, Jun 25, 2014.

Tags:
  1. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Already tried that generator but still the same problem.
    I have problems on /install/.
    Like when you generate a pssword of "0TU5KgpWT8443=f", entering just "0TU5KgpWT8" still accepted.

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    tried another way of generating a password and it truncates at 8 characters. Have you checked to see if you try the first <8 characters of password does it still accept the password ?

    Code:
    printf "yourusername:$(openssl passwd -crypt yourpassword)\n" >> /usr/local/nginx/conf/htpasswd_admin_php
    Warning: truncating password to 8 characters
     
  3. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    So the issue is password is accepted if first 8 char is entered?
     
  4. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Yeah, first 7 chars are not accepted but 8+ chars is accepted.
    Defeat the purpose of having long password :D
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Okay seems htpasswd.py isn't that great, it's better to use alternate encryption. Use the following

    Code:
    printf "yourusername:$(openssl passwd -apr1 yourpassword)\n" >> /usr/local/nginx/conf/htpasswd_admin_php
    might write a custom shell script for Centmin Mod to replace htpasswd.py :)
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Lucky me, I discover some serious bugs today :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    work in progress htpasswd.sh script no error checking yet heh

    Create at /usr/local/nginx/conf/htpasswd_admin
    Code:
    ./htpasswd.sh create /usr/local/nginx/conf/htpasswd_admin user1 pass1     
    
    /usr/local/nginx/conf/htpasswd_admin contents:
    user1:$apr1$WMC63WuZ$kbZrmfEt/btF3WEcrxFbB1
    
    Append at /usr/local/nginx/conf/htpasswd_admin
    Code:
    ./htpasswd.sh append /usr/local/nginx/conf/htpasswd_admin user2 pass2       
    
    /usr/local/nginx/conf/htpasswd_admin contents:
    user1:$apr1$WMC63WuZ$kbZrmfEt/btF3WEcrxFbB1
    user2:$apr1$CGmccW3X$wolHW170as3FfF5c7o5Y7.
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    here's a an example of the htpasswd.sh script I will be using in >.08 beta and stable. As the script is still work in progress, instead of including it as a file in the download zip, it will be setup as a function to always grab the latest version at centminmod/centminmod and download it to /usr/local/nginx/conf/htpasswd.sh on initial centmin mod install, on nginx upgrade and on php upgrades. This way can keep the htpasswd.sh updated all the time.
     
  9. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Got an error now:
    Code:
    # python /usr/local/nginx/conf/htpasswd.py -b /usr/local/nginx/conf/htpasswd_custom user password
    Traceback (most recent call last):
      File "/usr/local/nginx/conf/htpasswd.py", line 124, in <module>
        main()
      File "/usr/local/nginx/conf/htpasswd.py", line 113, in main
        passwdfile = HtpasswdFile(filename, create=options.create)
      File "/usr/local/nginx/conf/htpasswd.py", line 42, in __init__
        raise Exception("%s does not exist" % self.filename)
    Exception: /usr/local/nginx/conf/htpasswd_custom does not exist
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what version of python you installed ?
    Code:
    python -V
    Python 2.6.6
    did you install addon/python27_install.sh addon ?

    I just tried it myself and works fine
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/htpasswd_custom user password
    or use the htpasswd.sh script i wrote in post 28 in this thread

    Code:
    wget -O /usr/local/nginx/conf/htpasswd.sh https://gist.githubusercontent.com/centminmod/3068afbed67d5fe5e2dd/raw
    chmod +x /usr/local/nginx/conf/htpasswd.sh
    Code:
    /usr/local/nginx/conf/htpasswd.sh
    
    /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd user1 pass1
     
  11. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    # python -V
    Python 2.6.6
     
  12. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Works now with -c
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes use -c if creating new file while without -c appends to existing file
     
  14. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    3:03 AM
    1.9.5
    10.0.21
    Hi, I entered command, and now the homepage only shows "root:sYkkBXHZdH/XI". How can I enter my index.php with user/password prompt in browser?
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/html/phpmyadmin/index.php root password
    
     
  15. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:03 AM
    Mainline
    10.2
    Put the auth file outside public directory like: /usr/local/nginx/conf/
    So run this:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/phpmyadmin_auth root password

    Re-upload your index.php file also because you overwrite it.
     
  16. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    3:03 AM
    1.9.5
    10.0.21
    Thanks for your answer RoldanLT, however, I'm not clear about this protection concept.
    I ran command
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/phpmyadmin_auth root password
    
    Now I have new file phpmyadmin_auth. What should I do next to protect phpmyadmin directory?
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    3:03 AM
    1.9.5
    10.0.21
    Thank you very much, I successfully made it work. And now I have to enter double password to enter my private site :D
     
  19. sepulchre

    sepulchre Member

    167
    22
    18
    Dec 22, 2014
    Ratings:
    +28
    Local Time:
    10:03 PM
    Hey, one question.

    I did this:
    Code:
     python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/htpasswd username password
    and then my conf file where the auth_basic part is:
    Code:
    location / {
    
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
    
                index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      #try_files        $uri $uri/ /index.php;
    
      }

    1) Now, how do I know that my admin.php is password protected? How can I check that?

    When I open my htpasswd file, then I see:
    username:blablabla
    2) Instead of the blablabla, doesn't it need to be my password?
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:03 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you placed it in location root / which password protects entire site not admin.php

    for admin.php only (I also IP restrict mine)

    Code:
       location /admin.php {
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd;
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
    }
    restart Nginx and PHP-FPM

    To test access admin.php from browser