Protect nginx website with password ?

SeaTea · Jul 27, 2016

I have a test-website protected with the '.htaccess' equivalent for nginx (i thought), so when I login to my website via http:// mydomain.com I get the login screen as I expected. After entering the right user/pass I am "in". But I found that when I directly enter a .php URL, I do not get the user/pass and can open it right away.
So when I enter http:// mydomain.com/index.php I see it without login and that is not what I want.

On the moment I have my setup like this:
Code (Text):
    location / {

    satisfy any;
    allow 109.xx.yy.xx;
    deny  all;
    auth_basic "Restricted";
    auth_basic_user_file /home/nginx/domains/mydomain.com/private/.htpasswd;
   
    try_files    $uri $uri/ /index.php;

    }
So basically this works for http:// mydomain.com. From my home-ip-adress (109.xx.yy.zz) no login is asked and from other ip's I get the auth prompt. But for http:// mydomain.com/index.php no login is required and I am "in" without login.

It seems that the 'location / ' is just the 'empty' url, but I probably need a wildcard. I tried to change the / with a wildcard, but that gave me other errors. I probably need to keep the / location and make another one with a wildcard, to have a valid auth on all files in the website's 'root' (including subdirectories). I could not find simple documentation (still find regex difficult to understand) how to do this.
(There are more 'location' tags below this entry in my config for protection of (IPboard) directories)

What is the right solution here ?

eva2000 · Jul 27, 2016

you need to password protect the location match for .php files in /usr/local/nginx/conf/php.conf include files within the location .php extension context
Code (Text):
location ~ [^/]\.php(/|$) {
    satisfy any;
    allow 109.xx.yy.xx;
    deny  all;
    auth_basic "Restricted";
    auth_basic_user_file /home/nginx/domains/mydomain.com/private/.htpasswd;

...REST OF THE DEFAULT options...
}
The include file /usr/local/nginx/conf/php.conf is used in all nginx vhost site config files so you are password protecting all nginx sites on server. If you only want to protect one site, make a copy of /usr/local/nginx/conf/php.conf i.e.
Code (Text):
cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php-sitename.com.conf
Then in sitename.com.conf change the php.conf include to
Code (Text):
#include /usr/local/nginx/conf/php.conf;
include /usr/local/nginx/conf/php-sitename.com.conf;
Then edit /usr/local/nginx/conf/php-sitename.com.conf accordingly.

It's basically what i do in 123.09beta01 for the sitestatus routine Beta Branch - sitestatus maintenance mode | Centmin Mod Community Example here

Just I use an include file /usr/local/nginx/conf/503include-only.conf and place the code i need it that, so I can more easily update across multiple files which include /usr/local/nginx/conf/503include-only.conf
Code (Text):
location ~ [^/]\.php(/|$) {
  include /usr/local/nginx/conf/503include-only.conf;


...REST OF THE DEFAULT options...
}

SeaTea · Jul 27, 2016

Thanks !
I have moved my "auth" commands from /usr/local/nginx/conf/conf.d/domain.com.conf to a site-php config file. That basically works for php files (which is most important). It will not protect any other .txt, .html or other files, but that's not a problem for me. nginx is just different compared to apache where a simple line protects all files in a directory and all subdirectories.

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Protect nginx website with password ?

SeaTea Member

eva2000 Administrator Staff Member

SeaTea Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Protect nginx website with password ?

SeaTea Member

eva2000 Administrator Staff Member

SeaTea Member

.