Join the community today
Become a Member

Protect nginx website with password ?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by SeaTea, Jul 27, 2016.

Tags:
  1. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    3:34 PM
    Nginx:1.11
    MariaDB-10
    I have a test-website protected with the '.htaccess' equivalent for nginx (i thought), so when I login to my website via http:// mydomain.com I get the login screen as I expected. After entering the right user/pass I am "in". But I found that when I directly enter a .php URL, I do not get the user/pass and can open it right away.
    So when I enter http:// mydomain.com/index.php I see it without login and that is not what I want.

    On the moment I have my setup like this:
    Code (Text):
        location / {
    
        satisfy any;
        allow 109.xx.yy.xx;
        deny  all;
        auth_basic "Restricted";
        auth_basic_user_file /home/nginx/domains/mydomain.com/private/.htpasswd;
       
        try_files    $uri $uri/ /index.php;
    
        }
    


    So basically this works for http:// mydomain.com. From my home-ip-adress (109.xx.yy.zz) no login is asked and from other ip's I get the auth prompt. But for http:// mydomain.com/index.php no login is required and I am "in" without login.

    It seems that the 'location / ' is just the 'empty' url, but I probably need a wildcard. I tried to change the / with a wildcard, but that gave me other errors. I probably need to keep the / location and make another one with a wildcard, to have a valid auth on all files in the website's 'root' (including subdirectories). I could not find simple documentation (still find regex difficult to understand) how to do this.
    (There are more 'location' tags below this entry in my config for protection of (IPboard) directories)

    What is the right solution here ?
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:34 PM
    Nginx 1.13.x
    MariaDB 5.5
    you need to password protect the location match for .php files in /usr/local/nginx/conf/php.conf include files within the location .php extension context
    Code (Text):
    location ~ [^/]\.php(/|$) {
        satisfy any;
        allow 109.xx.yy.xx;
        deny  all;
        auth_basic "Restricted";
        auth_basic_user_file /home/nginx/domains/mydomain.com/private/.htpasswd;
    
    ...REST OF THE DEFAULT options...
    }
    

    The include file /usr/local/nginx/conf/php.conf is used in all nginx vhost site config files so you are password protecting all nginx sites on server. If you only want to protect one site, make a copy of /usr/local/nginx/conf/php.conf i.e.
    Code (Text):
    cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php-sitename.com.conf
    

    Then in sitename.com.conf change the php.conf include to
    Code (Text):
    #include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/php-sitename.com.conf;
    

    Then edit /usr/local/nginx/conf/php-sitename.com.conf accordingly.

    It's basically what i do in 123.09beta01 for the sitestatus routine Beta Branch - sitestatus maintenance mode | Centmin Mod Community Example here

    Just I use an include file /usr/local/nginx/conf/503include-only.conf and place the code i need it that, so I can more easily update across multiple files which include /usr/local/nginx/conf/503include-only.conf
    Code (Text):
    location ~ [^/]\.php(/|$) {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
    ...REST OF THE DEFAULT options...
    }
    
     
    • Like Like x 1
  3. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    3:34 PM
    Nginx:1.11
    MariaDB-10
    Thanks !
    I have moved my "auth" commands from /usr/local/nginx/conf/conf.d/domain.com.conf to a site-php config file. That basically works for php files (which is most important). It will not protect any other .txt, .html or other files, but that's not a problem for me. nginx is just different compared to apache where a simple line protects all files in a directory and all subdirectories.
     
    • Like Like x 1