When setting up a web server, there are often sections of the site that you wish to restrict access to. Web applications often provide their own authentication and authorization methods, but the web server itself can be used to restrict access if these are inadequate or unavailable.

In this guide, we’ll demonstrate how to password protect assets on an Nginx web server running on Ubuntu 18.04.

Prerequisites

Nginx is required, if you don't have you can install it by the following command.

sudo apt-get update
sudo apt-get install nginx

Step 1

You can add a username to the file using this command. We are using raturi as our username, but you can use whatever name you’d like:

sudo sh -c "echo -n 'raturi:' >> /etc/nginx/.htpasswd"

Step 2

Next, add an encrypted password entry for the username by typing:

sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"

Here you will be asked for a password, enter your password and you are done.

Step 3

Verify your password

cat /etc/nginx/.htpasswd
# Output

raturi:$apr1asdasdx$/fWd42iVOYMslEDDHewuw

Step 4

Now that we have a file with our users and passwords in a format that Nginx can read, we need to configure Nginx to check this file before serving our protected content.

Begin by opening up the server block configuration file that you wish to add a restriction to. For our example, we’ll be using the default server block file installed through Ubuntu’s Nginx package:

sudo nano /etc/nginx/sites-enabled/default

Inside, with the comments stripped, the file should look similar to this: /etc/nginx/sites-enabled/default

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
    }
}

To set up authentication, you need to decide on the context to restrict. Among other choices, Nginx allows you to set restrictions on the server level or inside a specific location. In our example, we’ll restrict the entire document root with a location block, but you can modify this listing to only target a specific directory within the web space:

Within this location block, use the auth_basic directive to turn on authentication and to choose a realm name to be displayed to the user when prompting for credentials. We will use the auth_basic_user_file directive to point Nginx to the password file we created: /etc/nginx/sites-enabled/default

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm;

    server_name localhost;

    location / {
        try_files $uri $uri/ =404;
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

Save and close the file when you are finished. Restart Nginx to implement your password policy:

sudo service nginx restart

The directory you specified should now be password protected.

Finally, open your IP and you will be prompted for a user and password.