NGINX password protect directory

How to Password Protect Directory in Nginx

Sometimes you may need to prevent unauthorized access to specific files and directories on your website. This is commonly required if you have sensitive information on your website that you do not want unauthorized users to access. For this, you can easily set up basic authentication for those directories in NGINX. It allows you to quickly password protect one or more files, URLs or directories without changing any code of your site. In this article, we will look at how to password protect directory in NGINX.

How to Password Protect Directory in Nginx

Here are the steps to password protect directory in NGINX. We will require htpasswd utility to generate username-password pairs that will be used for user authentication. Although it is available in Apache server by default, we will need to install an add-on for this purpose in NGINX.

1. Install Apache Utils

We need to install apache2-utils (Ubuntu/Debian) or httpd-tools (RHEL/CentOS) that provide htpasswd utility. Open terminal and run the following command.

# yum install httpd-tools [RHEL/CentOS] 
$ sudo apt install apache2-utils [Debian/Ubuntu]

Also read : NGINX Restrict Access to Directory and Subdirectories

2. Create User/Password

Next, run htpasswd command to create a user that you want to give access to your website. Here is its syntax.

htpasswd -c /path/to/password/file username

Replace developer below with your choice of username and /etc/nginx/conf.d/.htpasswd with the path to password file where you want to store user credentials.

# htpasswd -c /etc/nginx/conf.d/.htpasswd developer

We use -c option to specify password file location for the first user.

Please note, when we create another user, we don’t specify password file location.

# htpasswd /etc/nginx/conf.d/.htpasswd developer2

Also read : NGINX Restrict Access to URL

4. Enter Password

After you enter htpasswd command, you will be asked to enter password and confirm it.

New password: 
Re-type new password:
Adding password for user developer

5. Open NGINX configuration file

You can make changes to either the NGINX configuration file or virtual host file to password protect data in NGINX. Run the following command to open NGINX server configuration file in vi editor.

$ sudo vi /etc/nginx/nginx.conf

If you have configured separate virtual hosts for your website (e.g www.example.com), such as /etc/nginx/sites-enabled/website.conf then open its configuration with the following command

$ sudo vi /etc/nginx/sites-enabled/website.conf

Alternatively, you can also open the default virtual host configuration file.

$ sudo vi /etc/nginx/sites-enabled/default

Also read : How to Configure NGINX Log rotation

6. Password Protect NGINX

In order to password protect your directory, or certain web pages or even your entire website, we need to use auth_basic and auth_basic_user_file directives in NGINX server configuration. auth_basic is the title of the prompt window displayed to user during authentication. auth_basic_user_file is the location of password file that is used to authenticate user credentials.

Password Protect All Websites

For example, if you want to configure basic authentication for all virtual hosts (an entire http block) on server, add the above two directives as shown below in http block.

http{
   ...
   auth_basic "Restricted Access!"; 
   auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
   ...
}

In the above code, we specify the path of password file in auth_basic_user_file directive and message to be displayed in auth_basic directive.

Password Protect Single Website or Domain

Similarly, here’s the code to protect server block. It will implement basic authentication for website or domain.

server{
    ...
    auth_basic "Restricted Access!";
    auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
    ...
}

Password Protect Directory or Subdirectory

You can also configure basic authentication for specific web directories/subdirectories (e.g /admin) by adding auth_basic and auth_basic_user_file directives in a location block for that directory.

location /admin/ {
    ...
    auth_basic "Restricted Access!";
    auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
    ...
}

The above code will enable password protection only for /admin directory. If you want to add authentication for more folders, add auth_basic and auth_basic_user_file directives to their location blocks also.

Also read : How to Fix NGINX Worker Connections Not Enough

7. Restart NGINX Server

Run the following command to check syntax of your updated config file.

$ sudo nginx -t

If there are no errors, run the following command to restart NGINX server.

$ sudo service nginx reload #debian/ubuntu
$ systemctl restart nginx #redhat/centos

Also read : How to Disable ETag in NGINX

8. Verify basic authentication

Open browser and visit the URL (e.g www.example.com/admin) that you have protected. You should see an authentication screen as the one below.

Conclusion

In this article, we have learnt how to password protect directory in NGINX. The key is to generate a password file using utility such as htpasswd. Then add auth_basic and auth_basic_user_file directives in the location, server or http blocks where you want the authentication to be done. It is a good practice to protect sensitive files, documents, URLs and directives on your website using this method. It allows website administrators to control access by changing server configuration, without any coding.

Ubiq makes it easy to visualize data, and monitor them in real-time dashboards. Try Ubiq for free.