Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx How to properly password protect a directory or file?

Discussion in 'Centmin Mod Insights' started by rdan, Jun 25, 2014.

Tags:
  1. sepulchre

    sepulchre Member

    167
    22
    18
    Dec 22, 2014
    Ratings:
    +28
    Local Time:
    7:14 AM
    Thanks, that was the problem. Now it works.

     
  2. KeVo

    KeVo Active Member

    180
    71
    28
    May 28, 2014
    Ratings:
    +101
    Local Time:
    12:14 AM
    1.11.x
    10.1.18
    I've been using your vhost generator on the main centminmod site that provides directory pass protect and password/user generator, but this time when I try to log into my admin page, it asks me for my user and password like normal, but whenever I enter them (double checked for accuracy) it processes them and immediately asks for them again.

    Any ideas on what's causing that?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    is that for Xenforo vhost generator Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS ?
    for same site ? or different sites ? the /usr/local/nginx/conf/htpasswd_admin_php filename which you add to your vhost for
    auth_basic_user_file line needs to be unique for each site. Otherwise all you are doing to overwriting /usr/local/nginx/conf/htpasswd_admin_php with the new subsequent USERNAME and PASSWORD so that previous USERNAME and PASSWORD are revoked essentially
    may also need to restart nginx
     
  4. KeVo

    KeVo Active Member

    180
    71
    28
    May 28, 2014
    Ratings:
    +101
    Local Time:
    12:14 AM
    1.11.x
    10.1.18
    Yes, that's the one. :)

    This is for a individual site on a fresh centmin install.

    I've only ran that command once.
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    re-run it again with different user/pass and nginx restart and see
     
  6. KeVo

    KeVo Active Member

    180
    71
    28
    May 28, 2014
    Ratings:
    +101
    Local Time:
    12:14 AM
    1.11.x
    10.1.18
    Ah. So that was my problem. What I kept trying to do was remove the admin_php file from the conf directory and redo the command. This sorted out the issue.

    As always, your guidance is much appreciated. :)
     
  7. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    Great feature I never knew existed. The password.sh script is excellent. Added it to my personal Centmin Mod Setup Guide.

    Code:
    ##################################################
    #### PASSWORD SETUP FOR FILES AND DIRECTORIES
    ##################################################
    
    Information must be entered into the vhost file which points to where the passwords are located.
    Setup passwords for directories - opcache, admin directories... etc.  See SERVER - Password Protect
    
    Centmin Mod Docs
    https://community.centminmod.com/threads/how-to-properly-password-protect-a-directory-or-file.579/
    
    Nginx Docs
    http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
    
    Use the provided script to setup protection.
    /usr/local/nginx/conf/htpasswd.sh
    
    Create password file and populate with password.
    Add word or number after htpasswd for multiple password files.
    Create = creates a new file, overwrites an existing file.
    Append = appends an existing file - adds a new user:password line in file.
    # /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd user1 pass1
    
    Add the location block to your vhost config file.
    The example below also only permits certain IP addresses from access.
    Remove two allow lines and one deny line to premit all IP access.
    
    Example Root Directory
    location ~ ^/ {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
      allow 127.0.0.1;
      allow YOURIPADDRESS;
      deny all;
    }
    
    Example Specific file
    location /admin.php {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
      allow 127.0.0.1;
      allow YOURIPADDRESS;
      deny all;
    }
    
    Restart Nginx and PHP-FPM for changes to take effect.
    # service nginx restart
    # service php-fpm restart
     
  8. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    I can't get this working on the local virtual.conf for the life of me. Trying to lock down the default.

    I first created the password file.
    Code:
    # /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    The above gives me htpasswd_local = localserver1:sdlkhljkashdfjklhsadjfklhaskljdfh

    I edited the /usr/local/nginx/conf/conf.d/virtual.conf below with the information. I also put it inside the location / and above the location / as a test.

    Restarted nginx and php every time I made a change.

    No matter what I do, what browser I use, it doesn't accept the password. I remove the password block, site works fine.

    Code:
    server {
    #         listen   80;
                listen   80 default_server backlog=2048 reuseport;
                server_name server1.mydomain.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log    error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
        location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    
    
    
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
    
    }
    
    location ~ ^/ {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;
    }
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that won't work as you have essentially 2 location matches for /

    you should add the auth_basic stuff within existing location match for /
     
  10. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    I did, I was trying it everywhere.

    I just had the two lines in the location / ... above, below, with php.conf, without... it's own location... I figured this would be simple, instead I've been trying for about an hour. :banghead:
     
    Last edited: Feb 2, 2017
  11. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    I even tried it shorter passwords, usernames, different htpasswd files and the basic htpasswd file. Chmod the file to 777... I can't believe this is so hard.

    Double, triple checked the password file so I wasn't making a copy paste error. Every time not accepting the password.

    Different browsers, incog mode, privacy mode...
     
  12. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    The memcached and opcache - working fine.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    obvious question, did you restart nginx and php services after making changes ?
    Code (Text):
    nprestart
     
  14. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    Every time.
     
  15. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    This is what I have right now, less the default includes at the bottom. Also tried it wo/ the php.conf - just the two lines.

    Code:
    server {
    #         listen   80;
                listen   80 default_server backlog=2048 reuseport;
                server_name server1.zeronug.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log    error;
    
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
        location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
    
    auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
    
    }
    
    
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    
     
    Last edited: Feb 2, 2017
  16. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    pay attention to auth_basic_user_file has to match the one you created via htpasswd.sh

    so if you used /usr/local/nginx/conf/htpasswd_local
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    

    Code (Text):
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;


    Code (Text):
                location / {
    
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
                }
    


    confirmed working curl the localhost which is basically serving main host in virtual.conf
    Code (Text):
    curl -I localhost
    HTTP/1.1 401 Unauthorized
    Date: Thu, 02 Feb 2017 00:25:28 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 188
    Connection: keep-alive
    WWW-Authenticate: Basic realm="Private"
    Server: nginx centminmod
    X-Powered-By: centminmod
    
     
  17. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    Everything matches and I get the same curl output as you. So, I know it's seeing the file.

    He's some weirdness.

    I take the username and password from the opcache password file and use it in the htpasswd_local file and have no issues. Switch it back to the one I generated with the htpasswd.sh file and it doesn't work.

    Cleared out the browser completely and tested it a couple of times. I made sure to delete any passwords stored, etc.

    Also tried to remove any special characters, etc. from the password, no luck.
     
    Last edited: Feb 2, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    unable to reproduce that, access my main hostname, i get prompted for password and username !

    FYI i used exact same user/pass you posted too
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    
    /usr/local/nginx/conf/htpasswd_local contents:
    localserver1:$apr1$bW1//X7m$fZXyz8BzbTEk9zDz/8pp8.
    
     
  19. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    1:14 AM
    Did the user / password combo work?

    I don't have a problem with it's asking for the password, it's that the u/p combo doesn't work.
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,154
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    3:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup worked fine here :)

    user = localserver1
    pass = pass1

    entered those and works fine.. the encrypted form of password is just for nginx to read, you don't enter the encrypted password form in pop up prompt on site ;)