When setting up a web server, there are often sections of the site that you wish to restrict access to. Web applications often provide their own authentication and authorization methods, but the web server itself can be used to restrict access if these are inadequate or unavailable.
In this guide, we’ll demonstrate how to password protect assets on an Nginx web server running on Ubuntu 18.04.
Prerequisites
Nginx is required, if you don't have you can install it by the following command.
sudo apt-get update
sudo apt-get install nginx
Step 1
You can add a username to the file using this command. We are using raturi
as our username, but you can use whatever name you’d like:
sudo sh -c "echo -n 'raturi:' >> /etc/nginx/.htpasswd"
Step 2
Next, add an encrypted password entry for the username by typing:
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"
Here you will be asked for a password, enter your password and you are done.
Step 3
Verify your password
cat /etc/nginx/.htpasswd
# Output
raturi:$apr1asdasdx$/fWd42iVOYMslEDDHewuw
Step 4
Now that we have a file with our users and passwords in a format that Nginx can read, we need to configure Nginx to check this file before serving our protected content.
Begin by opening up the server block configuration file that you wish to add a restriction to. For our example, we’ll be using the default
server block file installed through Ubuntu’s Nginx package:
sudo nano /etc/nginx/sites-enabled/default
Inside, with the comments stripped, the file should look similar to this: /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}
To set up authentication, you need to decide on the context to restrict. Among other choices, Nginx allows you to set restrictions on the server level or inside a specific location. In our example, we’ll restrict the entire document root with a location block, but you can modify this listing to only target a specific directory within the web space:
Within this location block, use the auth_basic
directive to turn on authentication and to choose a realm name to be displayed to the user when prompting for credentials. We will use the auth_basic_user_file
directive to point Nginx to the password file we created: /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Save and close the file when you are finished. Restart Nginx to implement your password policy:
sudo service nginx restart
The directory you specified should now be password protected.
Finally, open your IP and you will be prompted for a user and password.