Nginx – Password Protect Web Directories


To totally unlock this section you need to Log-in

Managers of web projects often need to protect their work one way or another. Often people ask how to password protect their website while it is still in development.

On an Apache web server, it's possible to password protect a directory using .htaccess and .htpasswd files. However, .htaccess files are not supported on Nginx.

To complete the steps in this tutorial, you will need to have:

  • Nginx web server installed.
  • Root access to the server.

Installing Apache Tools (Facultative)

You will need the htpassword command to configure the password that will restrict access to the target website. This command is part of the apache2-utils package, so the first step is to install that package (Debian/Ubuntu with apt-get, CentOS/RHEL with yum):

sudo apt-get install apache2-utils

sudo yum install httpd-tools

Step 1: Create User and Password

To password protect our web directory, we will need to create the file that will contain our encrypted username and password.

When using Apache, you can use the htpasswd utility. If you have that utility installed on your system, you can use this command to generate the password file:

# htpasswd -c /path/to/file/.htpasswd username

When running this command, you will be asked to set a password for the above user and after that the .htpasswd file will be created in the specified directory. You can see it down here:

New password: 
Re-type new password: 
Adding password for user LOGIN

If you don’t have that tool installed, you can create the .htpasswd file manually. The file should have the following syntax:

username:encrypted-password:comment

The username that you will use depends on you, choose whatever you like.

The more important part is the way that you will generate the password for that user.

Step 2: Generate Encrypted Password

To generate the password, use Perl’s integrated crypt function.

Here is an example of that command:

# perl -le 'print crypt("your-password", "salt-hash")'

A real life example:

# perl -le 'print crypt("#12Dfsaa$fa", "1xzcq")'

Now open a file and put your username and the generated in string it, separated with semicolon. Here is how:

# vi /home/exampleuser/.htpasswd

Put your username and password. In our case it looks like this:

exampleuser:1xV2Rdw7Q6MK.

Save the file by hitting Esc followed by :wq.

Step 3: Update Nginx Configuration

Now open and edit the Nginx configuration file associated with the site you are working on. In our case we will use the default file at:

# vi /etc/nginx/conf.d/default.conf       [For CentOS based systems]

OR
# vi /etc/nginx/nginx.conf [For CentOS based systems] # vi /etc/nginx/sites-enabled/default [For Debian based systems]

In our example, we will password protect the directory root for nginx, which is: /usr/share/nginx/html. Now add the following two lines section under the path you wish to protect.

auth_basic "Administrator Login";
auth_basic_user_file /home/example/.htpasswd;

For example, under the location section, add both directives:

/etc/nginx/sites-available/default.conf
. . .
server_name localhost;

location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
        auth_basic "Administrator Login";
        auth_basic_user_file /home/example/.htpasswd;
}

Save and close the file.

After saving the file, restart Nginx with:

# systemctl restart nginx
OR
# service nginx restart

Now copy/paste that IP address in your browser and you should be asked for password:

Your main web directory is now protected. When you want to remove the password protection on the site, simply remove the two lines that you just added to .htpasswd file or use the following command to remove the added user from a password file.

# htpasswd -D /path/to/file/.htpasswd username