Knowledge blog

How to set up http protection (http authentication) in Nginx on Ubuntu

How to set up http protection (http authentication) in Nginx on Ubuntu

There are many situations we want to protect our site accessing our website from outside. For example you have a development site which you want to restrict from search engine crawling. Also you may like to protect some part/sections of your website from public visits or search engine crawling. For example like wordpress, joomla or your other CMS admin area. The most powerful way is to protect via http authentication which can be called as Password Protection or folder protection or sometimes website protection.
In this guide we assume your server environment is Nginx on Ubuntu OS. Make sure you have sudo privilege before start.
As a first step you need to create a password file which contains username(s) and password. This can be done using 2 ways one is use of OpenSSL utilities and another one is apache2-utils. You can choose one of the best suits your need but the suggestion is to use apache2-utils unless you already have OpenSSL utilities installed.

Creating Password File Using the OpenSSL Utilities

We will create a hidden file called .htpasswd in the /etc/nginx configuration directory to store our username and password combinations.

You can add a username to the file using this command. We are using robert as our username.

sudo sh -c "echo -n 'robert:' >> /etc/nginx/.htpasswd"

Just repeat the process and create additional users as you wish.

You can also encrypt the password by typing the below command.

sudo sh -c "openssl passwd -apr1 >>/etc/nginx/.htpasswd"

When you open the file the encrypted password should look something like this.

robert:$apr1$wI1/T0nB$jEKuTJHkTOOWkopnXqC1d1

Creating Password File Using Apache2 Utilities

The apache2-utils package, serves this function and many users find it easier to use. It is as a purpose-built utility called as htpasswd utility.

Install the apache2-utils package on your server by typing:

sudo apt-get update
sudo apt-get install apache2-utils

Now, you have access to the htpasswd command. We can use this to create a password file that Nginx can use to authenticate users. The same way we will create a hidden file for this purpose called .htpasswd within our /etc/nginx configuration directory.

The first time we use this utility, we need to add the -c option to create the specified file. We use ‘robert’ as an example user for this.

sudo htpasswd -c /etc/nginx/.htpasswd robert

You will be asked to input the new password.

You can leave out the -c argument while creating additional users

sudo htpasswd /etc/nginx/.htpasswd other_user

By opening the .htpasswd file you can see the usernames and encrypted passwords that you have created.

cat /etc/nginx/.htpasswd

Configure http-auth at Nginx website

We have the username/password set ready on the file. So we just need to set the authentication system and that will validate with the htpassword file.

Now open your website server configuration file. In my case it is /etc/nginx/sites-enabled/default.

The server block by default looks like below.

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}

Now I am going to add the restriction (http-auth) to entire website which means the root directory itself. It is done using 2 directives called auth_basic and auth_basic_user_file. The auth_basic enables the authentication while the auth_basic_user_file points to the username/password the authentication has to be done against.

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;

#Protect entire website
location / {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;

}

}

Save and update the file then make a nginx restart and you are done.

The another example is to protect only your wordpress admin area.

#Protect WP-Admin directory
location /wp-admin/ {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;

}

#Protect WP-Login.php
location /wp {
location ~wp-login\.php$ {
try_files $uri $uri/ =404;
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;

}

}

Note: The fastcgi configuration above is mine where you need to copy and use your own configuration. It may vary a little from me.

So you are done, make a nginx restart and test you website.

Password Authentication at browser

Now when you try to access your website or the one you protected above, you can see the password prompt. You can’t skip it away without using a right username/password. You will be getting a nginx error saying ‘401 Authorization Required’ while using wrong credentials.