HTTP Authentication in Nginx

Introduction

------------

- available on both Nginx opensource and Nginx PLUS

- requires password file creation file creation tool (e.g apache-2 utils)

- can enforce restriction based on:

    a. IP address

    b. geographical location

Setting up authentication

-------------------------

1. Install apache2-utils

     # yum install httpd-tools

2. Create a password file containing the 1st user

     # htpasswd -c /etc/nginx/.htpasswd_users user1

3. Add another user if needed

     # htpasswd /etc/nginx/.htpasswd_users user2

4. Make sure selinux (if selinux is enabled) and permission is correct on the password file

     # chown nginx /etc/nginx/.htpasswd_users

     # restorecon -Rv /etc/nginx

5. Add the following directives on the location you wish to protect

  location ~ \.(pdf|PDF) {

    root /payroll;

    auth_basic "restricted area";

    auth_basic_user_file /etc/nginx/.htpasswd_users;

  }

6. Restart nginx

     # systemctl restart nginx

7. Try downloading a file from that location

     # wget http://server.home.net/01-01-1970.pdf --user=user1 --password=pass123

Common configurations:

limiting access to the whole website	server {     ...     # Restrict access to all location below     auth_basic  "My personal files";     auth_basic_user_file /etc/nginx/.htpasswd_users;     location ~ \.(mp3|mp4) {       root /music;     }     location ~ \.(jpg|png) {       root /pictures;     } }
bypassing `server` level authentication	server {     ...     # Restrict access to all location below except for 1 location     auth_basic  "My personal files";     auth_basic_user_file /etc/nginx/.htpasswd_users;     location ~ \.(mp3|mp4) {  # this will require credentials       root /music;     }     location ~ \.(jpg|png) {  # this will require credentials       root /pictures;     }     location /public {       root /downloads;       auth_basic off;  # this wouldn't require credentials     } }
Restricting by either source IP or credentials	location ~ \.txt {   satisfy any;         # this will honor source IP or credentials   allow 192.168.1.11;  # Nginx will allow from this source IP only   deny all;            # others are deny   root /files/public;   auth_basic "my personal files";   auth_basic_user_file /etc/nginx/.htpasswd_users; }
Restricting by both source IP and credentials	location ~ \.txt {   satisfy all;         # source IP and credentials must be correct   allow 192.168.1.11;  # Nginx will allow from this source IP only   deny all;            # others are deny   root /files/public;   auth_basic "my personal files";   auth_basic_user_file /etc/nginx/.htpasswd_users; }