Requiring Passwords for Webpages

access control with nginx

HTTP basic authentication will allow you to secure parts (or all) of your website with a username and password without the trouble of PHP or Javascript. This will work with any Nginx server.

Installation

We will be using the command htpasswd to make username and password pairs.

apt install apache2-utils

Now think of a username and password and remember them.

htpasswd -c /etc/nginx/myusers username

Type out your password twice to confirm. You can do this as many times as you'd like.

Check out user name password pairs (the password will be securely hashed):

cat /etc/nginx/myusers

Nginx Config and Auth Basic

From here, we are going to edit our websites config file in /etc/nginx/sites-enabled. Have in mind which folder you'd like to secure. Add something like this:

server {
    #...
    location /secret-folder  {
        auth_basic "What's the Password?" ;
        auth_basic_user_file /etc/nginx/myusers ;
    }
    #...
}

If you'd like to do the opposite, such as making the entire site private except for a public section, do this:

server {
    #...
    auth_basic "What's the Password?" ;
    auth_basic_user_file /etc/nginx/myusers ;
    location /public/ {
        #...
        auth_basic off ;
    }
    #...
}

IP Addresses

If passwords aren't enough we can ban an ip or accept one.

location /api {
    #...
    allow 192.168.1.23:8080 ;
    deny 127.0.0.1 ;
}

If you want to check both a username and password with an ip address, use the satisfy directive.

location /api {
    #...
    satisfy all ;

    allow 192.168.1.23:8080 ;
    deny 127.0.0.1 ;

    auth_basic "What's the Password?" ;
    auth_basic_user_file /etc/nginx/myusers ;
}

Complete Example

http {
    server {
        listen 80;
        root /var/www/website ;

        #...
        location /secret-folder {
            satisfy all ;

            allow 192.168.1.3/24;
            deny 127.0.0.1 ;

            auth_basic "What's the Password?" ;
            auth_basic_user_file /etc/nginx/myusers ;
        }
    }
}

Now check your configuration with nginx -t

Reload nginx and you're good to go!

Contributor - tomfasano.co