I needed to keep a few older websites online for a short little while, but didn’t want to leave them wide open in case older CMS systems were vulnerable – so I decided to protect them with password.
nginx (pronounced Engine-Ex) is a webserver, reverse-proxy and caching solution powering a massive portion of the Internet websites today. It’s a lightweight web-server with non-locking implementation, meaning it can server impressive amounts of traffic with humble resource requirements.
nginx was acquired by F5 in 2019.
I’ll be writing a lot more about nginx in 2020, simply because I’m finally catching up with my dedicated hosts infrastructure and will be getting the time to document my setup and best practices.
There’s a few steps to protecting a website using nginx (steps are similar but implemented differently in Apache web server):
Decide and create/update the passwords file Decide on the username and password Generate password hash and add entry to the passwords file Update webserver configuration to specify password protection Because websites are configured as directory locations, you have a choice of protecting the whole website like www.unixtutorial.org or just a part (subdirectory) of it, like www.unixtutorial.org/images.
INTERESTING: even though it’s commonly referred to as password protecting websites, what actually happens is you protect with username and password. So when you’re trying to open a protected website, you get a prompt like this, right there in your browser:
nginx password protection prompt
Most of the time website access is controlled by files named htpasswd. You either create default password file in /etc/nginx/htpasswd location, or create a website specific version like /etc/nginx/unixtutorial.htpasswd.
You can create a file using touch command:
Or better yet, use the htpasswd command to do it. But because htpasswd is part of Apache tools, you may have to install it first:
When you run the htpasswd command, you specify two parameters: the password file name and the username you’ll use for access.
If the password file is missing, you’ll be notified like this:
And yes, adding the -c option will get the file created:
Now, if we cat the file, it will show the unixtutorial user and the password hash for it:
IMPORTANT: although this file doesn’t contain actual passwords, only their encrypted hashes, it can still be used to guess your passwords on powerful systems – so take the usual measures to protect access to this file.
Update Website Configuration with Password Protection I’ve got the following setup for this old website in my example:
Protection is done on the location level. In this example, location / means my whole website is protected.
So right in front of the proxy_pass entry, I’ll add my password protection part:
As you can see, we’re referring to the password file that we created earlier. The auth_basic “Restricted” part helps you to configure a specific message (instead of word Restricted) that will be shown during username/password prompt.
That’s how the password protected part will look:
Save the file and restart nginx:
Now the website https://forum.reys.net is password protected!