How To Use HTTP Basic Authentication With Nginx
How To Use HTTP Basic Authentication With Nginx
June 18, 2020

Nginx Web Server is among the popular web servers and widely-used to host websites. We can password protect either the complete site or specific sections of a site using the HTTP Basic Authentication with the Nginx Web Server. This tutorial provides the steps to generate the username and password pairs using the htpasswd utility and store the password in the .htpasswd file. It also shows how to password protect or restrict access to the complete site or specific sections of the site by updating the server block. All the examples provided in this tutorial are tested using the Nginx 1.17.10 installed on Ubuntu 20.04 LTS. The steps should be the same for the other versions of Ubuntu and Linux systems.

Prerequisites

This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.

It also assumes that the Nginx Web Server is already installed. You may follow How To Install And Configure Nginx on Ubuntu 20.04 LTSConfigure Virtual Host Or Server Block On Nginx, and How To Install Let's Encrypt For Nginx On Ubuntu.

In the case of production usage, it assumes that you have access to the remote server.

Generate Password

This section provides the steps to generate and store the password using the htpasswd utility. Use the below-mentioned commands to create and store the password using the htpasswd utility.

# Install Apache Utils
sudo apt install apache2-utils

# Create Password File
sudo htpasswd -c /<path to .htpasswd>/.htpasswd username

# Example 1
sudo htpasswd -c /etc/secure/.htpasswd nick

# Output
New password: <strong password>
Re-type new password: <strong password>
Adding password for user nick

This will generate the password and stores the username and password pair on a separate line in the .htpasswd file. We can add more users using the same file without the -c argument as shown below.

# Example 2
sudo htpasswd -c /etc/secure/.htpasswd roy

# Output
New password: <strong password>
Re-type new password: <strong password>
Adding password for user roy

We can also verify the htpasswd file as shown below.

# Echo File Content
cat /etc/secure/.htpasswd

# .htpasswd File Content
nick:1$pr1$C9tqmsDt$ztcUda2bK12BC1brVYtv00
joy:$apr1$TAgZlVu1$Vil6BFu75PsErb3tnxv12/

Configure Server Block

This section provides the configurations required to password protect the site by updating the virtual host. The virtual host of a site hosted by the Nginx Web Server should have similar configurations as shown below.

# Content
server {
listen 80;
server_name example.com www.example.com;

root /var/www/example.com/html;

index index.html index.htm;

location / {
try_files $uri $uri/ =404;
}

location ~ /\.ht {
deny all;
}
}

The above configuration does not block any resource of the site example.com. We can update the server block or the virtual host to completely password protect the site by implementing HTTP Basic Authentication as shown below.

# Server Block
sudo nano /etc/nginx/sites-available/example.com

# Content
server {
listen 80;
server_name example.com www.example.com;

root /var/www/example.com/html;

index index.html index.htm;

location / {
try_files $uri $uri/ =404;

auth_basic "Restricted";
auth_basic_user_file /etc/secure/.htpasswd;
}

location ~ /\.ht {
deny all;
}
}

Now reload the Nginx Web Server and try to access the site.

# Reload Nginx
sudo systemctl reload nginx

The auth dialog should be similar to Fig 1.

HTTP Basic Authentication - Nginx - Auth Dialog

Fig 1

It will allow access to the site by providing the valid User Name and Password. In case of wrong username or password, after pressing the Cancel Button it shows the 401 error as shown in Fig 2.

HTTP Basic Authentication - Nginx - Auth Error

Fig 2

We can also restrict the specific subdirectory of a site as shown below.

# Server Block
sudo nano /etc/nginx/sites-available/example.com

# Content
server {
listen 80;
server_name example.com www.example.com;

root /var/www/example.com/html;

index index.html index.htm;

location / {
try_files $uri $uri/ =404;
}

location /admin {
auth_basic "Restricted";
auth_basic_user_file /etc/secure/.htpasswd;
}

location ~ /\.ht {
deny all;
}
}

# Reload Nginx
sudo systemctl reload nginx

The above configuration will show the Auth Dialog only when someone tries to access the admin i.e. http://www.example.com/admin. The rest of the site will be publicly accessible.

Allow/Deny IP

We can also allow or deny either a single IP or a block by further updating the server block as shown below.

# Server Block
sudo nano /etc/nginx/sites-available/example.com

# Content
server {
listen 80;
server_name example.com www.example.com;

root /var/www/example.com/html;

index index.html index.htm;

location / {
try_files $uri $uri/ =404;

deny 192.168.1.2;
allow 192.168.1.1/24;
allow 127.0.0.1;
deny all;

auth_basic "Restricted";
auth_basic_user_file /etc/secure/.htpasswd;
}

location ~ /\.ht {
deny all;
}
}

# Reload Nginx
sudo systemctl reload nginx

Summary

This tutorial provided the steps required to generate the password file using htpasswd utility and configure the server block or virtual host to password-protect and restrict access to the whole website by implementing HTTP Basic Authentication. It also showed how to password protect the site either completely or parts of it by updating the server block.

Write a Comment

Click on the captcha image to get new code.
Discussion Forum by DISQUS