forked from ben/diyhosting
119 lines
4.1 KiB
HTML
119 lines
4.1 KiB
HTML
<!DOCTYPE html>
|
|
<html lang=en>
|
|
<head>
|
|
<title>Requiring Passwords for Webpages (HTTP Authentication) – diyhosting.bhh.sh</title>
|
|
<<!--# include file=".nav.html" -->
|
|
</head>
|
|
<body>
|
|
<header><h1>Requiring Passwords for Webpages</h1></header>
|
|
<nav></nav>
|
|
<main>
|
|
<img class=titleimg src="pix/auth.svg" alt="access control with nginx"/>
|
|
<p>HTTP basic authentication will allow you to secure parts (or all) of your website with a username and password without the trouble of PHP or Javascript.
|
|
This will work with any Nginx server.
|
|
</p>
|
|
|
|
<h2>Installation</h2>
|
|
<p>We will be using the command <code>htpasswd</code> to make username and password pairs.</p>
|
|
<pre><code>apt install apache2-utils</code></pre>
|
|
<aside>
|
|
<p>The apache utils include a small username-password pair encryption tool.</p>
|
|
<p>Like the other tutorials on this site, this tutorial is for Nginx, <strong>not</strong> for Apache servers.</p>
|
|
</aside>
|
|
|
|
<p>
|
|
Now think of a username and password and remember them.
|
|
</p>
|
|
|
|
<pre><code>htpasswd -c /etc/nginx/<strong>myusers</strong> <strong>username</strong></code></pre>
|
|
<aside>
|
|
<p>The <code>-c</code> flag creates a file. You can make the path of this file anywhere outside of your webroot.</p>
|
|
<p>Obviously the username is up to you as well.</p>
|
|
</aside>
|
|
<p>
|
|
Type out your password twice to confirm. You can do this as many times as you'd like.
|
|
</p>
|
|
<p>Check out user name password pairs (the password will be securely hashed):</p>
|
|
<pre><code>cat /etc/nginx/<strong>myusers</strong></code></pre>
|
|
|
|
<h2>Nginx Config and Auth Basic</h2>
|
|
<p>
|
|
From here, we are going to edit our websites config file in <code>/etc/nginx/sites-enabled</code>.
|
|
Have in mind which folder you'd like to secure. Add something like this:
|
|
</p>
|
|
|
|
<pre><code>server {
|
|
#...
|
|
location /<strong>secret-folder </strong> {
|
|
auth_basic "What's the Password?" ;
|
|
auth_basic_user_file /etc/nginx/<strong>myusers</strong> ;
|
|
}
|
|
#...
|
|
}</code></pre>
|
|
<aside>
|
|
<h4>Huh?</h4>
|
|
<p>If you're stuck, try finding the line <code>location / {</code></p>
|
|
<p>Just below this block is where you should add the custom location block</p>
|
|
</aside>
|
|
|
|
<p>If you'd like to do the opposite, such as making the entire site private except for a public section, do this:</p>
|
|
<pre><code>server {
|
|
#...
|
|
auth_basic "What's the Password?" ;
|
|
auth_basic_user_file /etc/nginx/<strong>myusers</strong> ;
|
|
location /<strong>public</strong>/ {
|
|
#...
|
|
auth_basic off ;
|
|
}
|
|
#...
|
|
}</code></pre>
|
|
<h3>IP Addresses</h3>
|
|
<p>If passwords aren't enough we can ban an ip or accept one.</p>
|
|
<pre><code>location /api {
|
|
#...
|
|
allow 192.168.1.23:8080 ;
|
|
deny 127.0.0.1 ;
|
|
}</code></pre>
|
|
<p>If you want to check both a username and password with an ip address, use the <code>satisfy</code> directive.</p>
|
|
<pre><code>location /api {
|
|
#...
|
|
satisfy all ;
|
|
|
|
allow 192.168.1.23:8080 ;
|
|
deny 127.0.0.1 ;
|
|
|
|
auth_basic "What's the Password?" ;
|
|
auth_basic_user_file /etc/nginx/<strong>myusers</strong> ;
|
|
}</code></pre>
|
|
<h3>Complete Example</h3>
|
|
<pre><code>http {
|
|
server {
|
|
listen 80;
|
|
root /var/www/website ;
|
|
|
|
#...
|
|
location /<strong>secret-folder</strong> {
|
|
satisfy all ;
|
|
|
|
allow 192.168.1.3/24;
|
|
deny 127.0.0.1 ;
|
|
|
|
auth_basic "What's the Password?" ;
|
|
auth_basic_user_file /etc/nginx/<strong>myusers</strong> ;
|
|
}
|
|
}
|
|
}</code></pre>
|
|
|
|
<p>
|
|
Now check your configuration with <code>nginx -t</code>
|
|
</p>
|
|
|
|
<p>Reload nginx and you're good to go!</p>
|
|
|
|
<strong>Contributor</strong> - <a href="https://tomfasano.co" target="_blank">tomfasano.co</a>
|
|
|
|
</main>
|
|
<!--# include file=".footer.html" -->
|
|
</body>
|
|
</html>
|