Restricting Unauthorized Access
In order to restrict Unauthorized Access to Prohibited Locations, we need to setup users with access passwords.
- Ubuntu
Directory Creation
Let's start with creating a private directory, to act as a vault for us:
- Nginx
- Let's create a directory with the name
vaultinside theusrdirectory to store the user & password combinations.
sudo mkdir /usr/vault
- Now let's create a file to maintain the user-data & password:
sudo touch /usr/vault/.useraccess
- That's it! We've created our user-data file. Now let's add a user to it.
Adding a User
If you have OpenSSL installed on your server, you can create a password file with no additional packages.
You can add a username to the file using this command. We are using userjoe as our username, but you can use whatever name you’d like:
sudo sh -c "echo -n 'userjoe:' >> /usr/vault/.useraccess"
Next, add an encrypted password for the username using the command:
sudo sh -c "openssl passwd >> /usr/vault/.useraccess"
It will then prompt to enter your Password: and then again like Verifying - Password:.
You can repeat this process for additional usernames. You can see how the usernames and encrypted passwords are stored within the file by typing:
cat /usr/vault/.useraccess
userjoe:$1$fwpKjGJM$ykMtlFMIucByKkJOcSIrw/
Configure Password Authentication
Now that we have a file with our users and passwords in a format that Nginx can read, we need to configure Nginx to check this file before serving our protected content.
Begin by opening up the server block configuration file that you wish to add a restriction to. For our example, we’ll be using the default server block file installed through Ubuntu’s Nginx package:
sudo nano /etc/nginx/sites-enabled/default
Inside, with the comments stripped, the file should look similar to this:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
}
To set up authentication, you need to decide on the context to restrict. Among other choices, Nginx allows you to set restrictions on the server level or inside a specific location. In our example, we’ll restrict the entire document root with a location block, but you can modify this listing to only target a specific directory within the web space:
Within this location block, use the auth_basic directive to turn on authentication and to choose a realm name to be displayed to the user when prompting for credentials. We will use the auth_basic_user_file directive to point Nginx to the password file we created:
server {
...
location / {
...
auth_basic "Restricted Content";
auth_basic_user_file /usr/vault/.useraccess;
}
}
Save and close the file when you are finished. Now let's test the settings:
sudo nginx -t
Once the test is successful, restart Nginx to implement your password policy:
sudo systemctl restart nginx
The directory you specified should now be password protected.
Confirm the Password Authentication
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:
If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Authorization Required” error page:
You should now have everything you need to set up basic authentication for your site. Keep in mind that password protection should be combined with SSL encryption so that your credentials are not sent to the server in plain text.