Introduction
------------
- available on both
Nginx opensource and Nginx PLUS
- requires password
file creation file creation tool (e.g apache-2 utils)
- can enforce
restriction based on:
a. IP address
b. geographical location
Setting up authentication
-------------------------
1. Install
apache2-utils
# yum install httpd-tools
2. Create a password
file containing the 1st user
# htpasswd -c /etc/nginx/.htpasswd_users
user1
3. Add another user
if needed
# htpasswd /etc/nginx/.htpasswd_users
user2
4. Make sure selinux
(if selinux is enabled) and permission is correct on the
password file
# chown nginx /etc/nginx/.htpasswd_users
# restorecon -Rv /etc/nginx
5. Add the following
directives on the location you wish to protect
location ~ \.(pdf|PDF) {
root /payroll;
auth_basic "restricted area";
auth_basic_user_file
/etc/nginx/.htpasswd_users;
}
6. Restart nginx
# systemctl restart nginx
7. Try downloading a
file from that location
# wget http://server.home.net/01-01-1970.pdf
--user=user1 --password=pass123
Common configurations
---------------------
limiting access to
the whole website
|
server {
...
# Restrict
access to all location below
auth_basic "My personal files";
auth_basic_user_file
/etc/nginx/.htpasswd_users;
location ~ \.(mp3|mp4) {
root /music;
}
location ~ \.(jpg|png) {
root /pictures;
}
}
|
bypassing `server`
level authentication
|
server {
...
# Restrict
access to all location below except for 1 location
auth_basic "My personal files";
auth_basic_user_file
/etc/nginx/.htpasswd_users;
location ~ \.(mp3|mp4) { # this will
require credentials
root /music;
}
location ~ \.(jpg|png) { # this will
require credentials
root /pictures;
}
location /public {
root /downloads;
auth_basic off; # this wouldn't
require credentials
}
}
|
Restricting by
either source IP or
credentials |
location ~ \.txt {
satisfy any; # this
will honor source IP or credentials
allow 192.168.1.11; # Nginx will
allow from this source IP only
deny all; # others are deny
root /files/public;
auth_basic "my personal files";
auth_basic_user_file
/etc/nginx/.htpasswd_users;
}
|
Restricting by both
source IP and
credentials |
location ~ \.txt {
satisfy all; # source
IP and credentials must be correct
allow 192.168.1.11; # Nginx will
allow from this source IP only
deny all; #
others are deny
root /files/public;
auth_basic "my personal files";
auth_basic_user_file
/etc/nginx/.htpasswd_users;
}
|
No comments:
Post a Comment