Learn about Centmin Mod LEMP Stack today
Register Now

Nginx How to properly password protect a directory or file?

Discussion in 'Centmin Mod Insights' started by rdan, Jun 25, 2014.

Tags:
  1. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Already tried that generator but still the same problem.
    I have problems on /install/.
    Like when you generate a pssword of "0TU5KgpWT8443=f", entering just "0TU5KgpWT8" still accepted.

     
  2. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    tried another way of generating a password and it truncates at 8 characters. Have you checked to see if you try the first <8 characters of password does it still accept the password ?

    Code:
    printf "yourusername:$(openssl passwd -crypt yourpassword)\n" >> /usr/local/nginx/conf/htpasswd_admin_php
    Warning: truncating password to 8 characters
     
  3. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    So the issue is password is accepted if first 8 char is entered?
     
  4. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Yeah, first 7 chars are not accepted but 8+ chars is accepted.
    Defeat the purpose of having long password :D
     
  5. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    Okay seems htpasswd.py isn't that great, it's better to use alternate encryption. Use the following

    Code:
    printf "yourusername:$(openssl passwd -apr1 yourpassword)\n" >> /usr/local/nginx/conf/htpasswd_admin_php
    might write a custom shell script for Centmin Mod to replace htpasswd.py :)
     
  6. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Lucky me, I discover some serious bugs today :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    work in progress htpasswd.sh script no error checking yet heh

    Create at /usr/local/nginx/conf/htpasswd_admin
    Code:
    ./htpasswd.sh create /usr/local/nginx/conf/htpasswd_admin user1 pass1     
    
    /usr/local/nginx/conf/htpasswd_admin contents:
    user1:$apr1$WMC63WuZ$kbZrmfEt/btF3WEcrxFbB1
    
    Append at /usr/local/nginx/conf/htpasswd_admin
    Code:
    ./htpasswd.sh append /usr/local/nginx/conf/htpasswd_admin user2 pass2       
    
    /usr/local/nginx/conf/htpasswd_admin contents:
    user1:$apr1$WMC63WuZ$kbZrmfEt/btF3WEcrxFbB1
    user2:$apr1$CGmccW3X$wolHW170as3FfF5c7o5Y7.
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    here's a an example of the htpasswd.sh script I will be using in >.08 beta and stable. As the script is still work in progress, instead of including it as a file in the download zip, it will be setup as a function to always grab the latest version at centminmod/centminmod and download it to /usr/local/nginx/conf/htpasswd.sh on initial centmin mod install, on nginx upgrade and on php upgrades. This way can keep the htpasswd.sh updated all the time.
     
  9. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Got an error now:
    Code:
    # python /usr/local/nginx/conf/htpasswd.py -b /usr/local/nginx/conf/htpasswd_custom user password
    Traceback (most recent call last):
      File "/usr/local/nginx/conf/htpasswd.py", line 124, in <module>
        main()
      File "/usr/local/nginx/conf/htpasswd.py", line 113, in main
        passwdfile = HtpasswdFile(filename, create=options.create)
      File "/usr/local/nginx/conf/htpasswd.py", line 42, in __init__
        raise Exception("%s does not exist" % self.filename)
    Exception: /usr/local/nginx/conf/htpasswd_custom does not exist
     
  10. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    what version of python you installed ?
    Code:
    python -V
    Python 2.6.6
    did you install addon/python27_install.sh addon ?

    I just tried it myself and works fine
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/htpasswd_custom user password
    or use the htpasswd.sh script i wrote in post 28 in this thread

    Code:
    wget -O /usr/local/nginx/conf/htpasswd.sh https://gist.githubusercontent.com/centminmod/3068afbed67d5fe5e2dd/raw
    chmod +x /usr/local/nginx/conf/htpasswd.sh
    Code:
    /usr/local/nginx/conf/htpasswd.sh
    
    /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd user1 pass1
     
  11. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    # python -V
    Python 2.6.6
     
  12. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Works now with -c
     
  13. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    Yes use -c if creating new file while without -c appends to existing file
     
  14. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    8:45 AM
    1.9.5
    10.0.21
    Hi, I entered command, and now the homepage only shows "root:sYkkBXHZdH/XI". How can I enter my index.php with user/password prompt in browser?
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/html/phpmyadmin/index.php root password
    
     
  15. rdan

    rdan Premium Member Premium Member

    5,126
    1,276
    113
    May 25, 2014
    Ratings:
    +1,953
    Local Time:
    9:45 AM
    Mainline
    10.2
    Put the auth file outside public directory like: /usr/local/nginx/conf/
    So run this:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/phpmyadmin_auth root password

    Re-upload your index.php file also because you overwrite it.
     
  16. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    8:45 AM
    1.9.5
    10.0.21
    Thanks for your answer RoldanLT, however, I'm not clear about this protection concept.
    I ran command
    Code:
    python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/phpmyadmin_auth root password
    
    Now I have new file phpmyadmin_auth. What should I do next to protect phpmyadmin directory?
     
  17. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
  18. Josephm

    Josephm Active Member

    132
    44
    28
    Aug 26, 2014
    Ratings:
    +48
    Local Time:
    8:45 AM
    1.9.5
    10.0.21
    Thank you very much, I successfully made it work. And now I have to enter double password to enter my private site :D
     
  19. sepulchre

    sepulchre Member

    167
    22
    18
    Dec 22, 2014
    Ratings:
    +28
    Local Time:
    2:45 AM
    Hey, one question.

    I did this:
    Code:
     python /usr/local/nginx/conf/htpasswd.py -c -b /usr/local/nginx/conf/htpasswd username password
    and then my conf file where the auth_basic part is:
    Code:
    location / {
    
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
    
                index index.php index.html index.htm;
                try_files $uri $uri/ /index.php?$uri&$args;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      #try_files        $uri $uri/ /index.php;
    
      }

    1) Now, how do I know that my admin.php is password protected? How can I check that?

    When I open my htpasswd file, then I see:
    username:blablabla
    2) Instead of the blablabla, doesn't it need to be my password?
     
  20. eva2000

    eva2000 Administrator Staff Member

    47,833
    10,908
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,945
    Local Time:
    11:45 AM
    Nginx 1.21.x
    MariaDB 10.x
    you placed it in location root / which password protects entire site not admin.php

    for admin.php only (I also IP restrict mine)

    Code:
       location /admin.php {
         auth_basic "Private";
         auth_basic_user_file /usr/local/nginx/conf/htpasswd;
            include /usr/local/nginx/conf/php.conf;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
    }
    restart Nginx and PHP-FPM

    To test access admin.php from browser