Discover Centmin Mod today
Register Now

Nginx How to properly password protect a directory or file?

Discussion in 'Centmin Mod Insights' started by RoldanLT, Jun 25, 2014.

Tags:
  1. sepulchre

    sepulchre Member

    90
    15
    8
    Dec 22, 2014
    Ratings:
    +15
    Local Time:
    9:19 AM
    Thanks, that was the problem. Now it works.
     
    • Like Like x 1
  2. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    2:19 AM
    1.11.x
    10.1.18
    I've been using your vhost generator on the main centminmod site that provides directory pass protect and password/user generator, but this time when I try to log into my admin page, it asks me for my user and password like normal, but whenever I enter them (double checked for accuracy) it processes them and immediately asks for them again.

    Any ideas on what's causing that?
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    is that for Xenforo vhost generator Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS ?
    for same site ? or different sites ? the /usr/local/nginx/conf/htpasswd_admin_php filename which you add to your vhost for
    auth_basic_user_file line needs to be unique for each site. Otherwise all you are doing to overwriting /usr/local/nginx/conf/htpasswd_admin_php with the new subsequent USERNAME and PASSWORD so that previous USERNAME and PASSWORD are revoked essentially
    may also need to restart nginx
     
  4. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    2:19 AM
    1.11.x
    10.1.18
    Yes, that's the one. :)

    This is for a individual site on a fresh centmin install.

    I've only ran that command once.
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    re-run it again with different user/pass and nginx restart and see
     
  6. KeVo

    KeVo Active Member

    179
    70
    28
    May 28, 2014
    Ratings:
    +100
    Local Time:
    2:19 AM
    1.11.x
    10.1.18
    Ah. So that was my problem. What I kept trying to do was remove the admin_php file from the conf directory and redo the command. This sorted out the issue.

    As always, your guidance is much appreciated. :)
     
    • Like Like x 1
  7. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    Great feature I never knew existed. The password.sh script is excellent. Added it to my personal Centmin Mod Setup Guide.

    Code:
    ##################################################
    #### PASSWORD SETUP FOR FILES AND DIRECTORIES
    ##################################################
    
    Information must be entered into the vhost file which points to where the passwords are located.
    Setup passwords for directories - opcache, admin directories... etc.  See SERVER - Password Protect
    
    Centmin Mod Docs
    https://community.centminmod.com/threads/how-to-properly-password-protect-a-directory-or-file.579/
    
    Nginx Docs
    http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
    
    Use the provided script to setup protection.
    /usr/local/nginx/conf/htpasswd.sh
    
    Create password file and populate with password.
    Add word or number after htpasswd for multiple password files.
    Create = creates a new file, overwrites an existing file.
    Append = appends an existing file - adds a new user:password line in file.
    # /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd user1 pass1
    
    Add the location block to your vhost config file.
    The example below also only permits certain IP addresses from access.
    Remove two allow lines and one deny line to premit all IP access.
    
    Example Root Directory
    location ~ ^/ {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
      allow 127.0.0.1;
      allow YOURIPADDRESS;
      deny all;
    }
    
    Example Specific file
    location /admin.php {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
      allow 127.0.0.1;
      allow YOURIPADDRESS;
      deny all;
    }
    
    Restart Nginx and PHP-FPM for changes to take effect.
    # service nginx restart
    # service php-fpm restart
     
    • Like Like x 1
  8. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    I can't get this working on the local virtual.conf for the life of me. Trying to lock down the default.

    I first created the password file.
    Code:
    # /usr/local/nginx/conf/htpasswd.sh {create|append} /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    The above gives me htpasswd_local = localserver1:sdlkhljkashdfjklhsadjfklhaskljdfh

    I edited the /usr/local/nginx/conf/conf.d/virtual.conf below with the information. I also put it inside the location / and above the location / as a test.

    Restarted nginx and php every time I made a change.

    No matter what I do, what browser I use, it doesn't accept the password. I remove the password block, site works fine.

    Code:
    server {
    #         listen   80;
                listen   80 default_server backlog=2048 reuseport;
                server_name server1.mydomain.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log    error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
        location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    
    
    
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
    
    }
    
    location ~ ^/ {
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;
    }
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    that won't work as you have essentially 2 location matches for /

    you should add the auth_basic stuff within existing location match for /
     
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    I did, I was trying it everywhere.

    I just had the two lines in the location / ... above, below, with php.conf, without... it's own location... I figured this would be simple, instead I've been trying for about an hour. :banghead:
     
    Last edited: Feb 2, 2017
  11. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    I even tried it shorter passwords, usernames, different htpasswd files and the basic htpasswd file. Chmod the file to 777... I can't believe this is so hard.

    Double, triple checked the password file so I wasn't making a copy paste error. Every time not accepting the password.

    Different browsers, incog mode, privacy mode...
     
  12. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    The memcached and opcache - working fine.
     
  13. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    obvious question, did you restart nginx and php services after making changes ?
    Code (Text):
    nprestart
     
  14. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    Every time.
     
  15. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    This is what I have right now, less the default includes at the bottom. Also tried it wo/ the php.conf - just the two lines.

    Code:
    server {
    #         listen   80;
                listen   80 default_server backlog=2048 reuseport;
                server_name server1.zeronug.com;
                root   html;
    
            access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
            error_log               /var/log/nginx/localhost.error.log    error;
    
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
        location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
    
    auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd;
      include /usr/local/nginx/conf/php.conf;
    
    }
    
    
    
            # example nginx-http-concat
            # /csstest/??one.css,two.css
            #location /csstest {
            #concat on;
            #concat_max_files 20;
            #}
    
    
     
    Last edited: Feb 2, 2017
  16. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    pay attention to auth_basic_user_file has to match the one you created via htpasswd.sh

    so if you used /usr/local/nginx/conf/htpasswd_local
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    

    Code (Text):
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;


    Code (Text):
                location / {
    
      auth_basic "Private";
      auth_basic_user_file /usr/local/nginx/conf/htpasswd_local;
      include /usr/local/nginx/conf/php.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #               Enables directory listings when index file not found
    #               autoindex  on;
    
    #               Shows file listing times as local time
    #               autoindex_localtime on;
    
    #               Enable for vBulletin usage WITHOUT vbSEO installed
    #               try_files               $uri $uri/ /index.php;
    
                }
    


    confirmed working curl the localhost which is basically serving main host in virtual.conf
    Code (Text):
    curl -I localhost
    HTTP/1.1 401 Unauthorized
    Date: Thu, 02 Feb 2017 00:25:28 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 188
    Connection: keep-alive
    WWW-Authenticate: Basic realm="Private"
    Server: nginx centminmod
    X-Powered-By: centminmod
    
     
  17. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    Everything matches and I get the same curl output as you. So, I know it's seeing the file.

    He's some weirdness.

    I take the username and password from the opcache password file and use it in the htpasswd_local file and have no issues. Switch it back to the one I generated with the htpasswd.sh file and it doesn't work.

    Cleared out the browser completely and tested it a couple of times. I made sure to delete any passwords stored, etc.

    Also tried to remove any special characters, etc. from the password, no luck.
     
    Last edited: Feb 2, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    unable to reproduce that, access my main hostname, i get prompted for password and username !

    FYI i used exact same user/pass you posted too
    Code (Text):
    /usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_local localserver1 pass1
    
    /usr/local/nginx/conf/htpasswd_local contents:
    localserver1:$apr1$bW1//X7m$fZXyz8BzbTEk9zDz/8pp8.
    
     
  19. Jimmy

    Jimmy Premium Member Premium Member

    1,081
    242
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +579
    Local Time:
    3:19 AM
    1.13.x
    MariaDB 10.1.x
    Did the user / password combo work?

    I don't have a problem with it's asking for the password, it's that the u/p combo doesn't work.
     
  20. eva2000

    eva2000 Administrator Staff Member

    29,732
    6,713
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,023
    Local Time:
    5:19 PM
    Nginx 1.13.x
    MariaDB 5.5
    yup worked fine here :)

    user = localserver1
    pass = pass1

    entered those and works fine.. the encrypted form of password is just for nginx to read, you don't enter the encrypted password form in pop up prompt on site ;)