Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx How to properly password protect a directory or file?

Discussion in 'Centmin Mod Insights' started by rdan, Jun 25, 2014.

Tags:
  1. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Ok. Not sure what is going on on my end. I think it's best to step away from my computer, eat, and come back and try this later.


    I appreciate you taking the time to check it out. I know your busy. :)
     
  2. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    That's the problem. I was entering the encrypted form. I didn't realize those were encrypted. :mask:
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    haha encrypted form is just for nginx to read :)
     
  4. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    What a pisser it is to have the password for / and the memcached / opcache pages with passwords. For some reason I can't get into those info pages when I have a password set in the virtual.conf on /.

    When I omit this:
    Code:
        location ~ ^/ {
            auth_basic "Private";
            auth_basic_user_file /usr/local/nginx/conf/htpasswd_virtual;
            include /usr/local/nginx/conf/php.conf;
        }
    I have no problem getting into the memcached / opcache pages when I don't set a password for /. I also have no problem getting into the main directory when I have a password set. I know all the passwords work. But when the passwords are stacked (/ password) + (memcached password) I can't get in.
     
  5. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's the vhost look like when you try ? both memcached and opcache stats pages are already default password protected anyway - i made sure to do it that way in case folks forget to password protect it themselves.
     
  6. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Below is the vhost for my virtual.conf. The password works on the server.mydomain.com it's when I hit one of those pages under that I'm having the issue: server.mydomain.com/memcached_83838383.php - here I can never get pass the double password request.

    Code:
    server {
        listen 80 default_server backlog=2048 reuseport fastopen=256;
        server_name server1.zeronug.com;
        root   html;
    
        access_log              /var/log/nginx/localhost.access.log     main_ext buffer=256k flush=5m;
        error_log               /var/log/nginx/localhost.error.log      error;
    
        location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            deny all;
        }
    
        location ~ ^/ {
            auth_basic "Private";
            auth_basic_user_file /usr/local/nginx/conf/htpasswd_virtual;
            include /usr/local/nginx/conf/php.conf;
        }
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/include_opcache.conf;
        include /usr/local/nginx/conf/php.conf;
        #include /usr/local/nginx/conf/phpstatus.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
        #include /usr/local/nginx/conf/vts_mainserver.conf;
    }
     
  7. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Oh it's double password because memcached and opcache php files have natively embedded password protection I added myself ;) Which means even if you do not have any web server level password protection, if you tried to access those specific php pages, you will get a password prompt - you can edit those files to change the randomly generated password I added.
     
  8. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Yea, I realize that the memcached and opcache has their own passwords which are set in the files. Those work fine if I don't have password protection in my vhost. If I add password protection to the base site (see my vhost example), I have to go through two password requests to get to those pages:
    • host.mydomain.com html site password (I set).
    • memcached or opcache password

    The issue that I can't get through both passwords prompts on those pages even though I know both u and p are working. It's not really a big deal, I can remove the password from the base site. But I wanted to secure the .html file.
     
  9. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    It should've been site and not file. Wasn't looking to only protect that file... but that might be an option.
     
  11. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    @eva2000

    Just tired to create a new password file and got an error:
    Code:
    # /usr/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q 'gx/.[N3:TS_3{m6.'
    # touch: cannot touch ‘/user/local/nginx/conf/htpasswd_bct_main’: No such file or directory
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's the password characters inteferring .. try without some of the punctuation which shell/bash would parse on SSH command line.

    use Strong Password Generator to generate a password avoiding programming punctuation

    upload_2017-10-5_6-23-57.png
     
  13. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Code:
    # /usr/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q 'RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4'
    touch: cannot touch ‘/user/local/nginx/conf/htpasswd_bct_main’: No such file or directory
    
     
  14. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Removed ' ' and still error

    Code:
    # /usr/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4
    touch: cannot touch ‘/user/local/nginx/conf/htpasswd_bct_main’: No such file or directory
    
     
  15. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's output for running script in debug mode
    Code (Text):
    bash -x /usr/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4
    
     
  16. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Code:
    # bash -x /usr/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4
    ++ date +%d%m%y-%H%M%S
    + DT=041017-204652
    + file=/user/local/nginx/conf/htpasswd_bct_main
    + user=cu4w991q
    + pass=RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4
    + case "$1" in
    + touch /user/local/nginx/conf/htpasswd_bct_main
    touch: cannot touch ‘/user/local/nginx/conf/htpasswd_bct_main’: No such file or directory
    + genpassc
    + [[ -f /user/local/nginx/conf/htpasswd_bct_main ]]
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah found ya problem 'user' vs 'usr' in /user/local/nginx/conf/htpasswd_bct_main ;)
     
  18. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Was that changed? Looking over this thread, usr was used. In my docs, usr was also used. I've created passwords before using my doc.
     
  19. Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    5:49 AM
    Still get an error.

    Code:
    # /user/local/nginx/conf/htpasswd.sh create /user/local/nginx/conf/htpasswd_bct_main cu4w991q RmfLBHuR656nvoZ97F2s84ZDYaYbYAiyysTngK8EmXF4Dto4
    -bash: /user/local/nginx/conf/htpasswd.sh: No such file or directory
    
     
  20. eva2000

    eva2000 Administrator Staff Member

    55,197
    12,251
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,829
    Local Time:
    7:49 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you're still using incorect /user instead of /usr