nginx - htpasswd

bmimatt · Nov 30, 2012

Hi all,

I am not sure if this is the right forum to ask. If not - please delete.

I am running nginx 1.2.5 on several 8.3 amd64 systems.
I have been hitting my head against the wall of protecting directories with user/pass as I would using .htaccess/.htapsswd with Apache.

Nginx says I need 'HttpAuthBasicModule' but I am not able to find it in the option I am presented with when configuring the port (www/nginx).

Here are the options I have compiled in, any help will be appreciated:

Code:

# cat /var/db/ports/nginx/options 
# This file is auto-generated by 'make config'.
# Options for nginx-1.2.5,1
_OPTIONS_READ=nginx-1.2.5,1
_FILE_COMPLETE_OPTIONS_LIST= DEBUG DEBUGLOG FILE_AIO IPV6 GOOGLE_PERFTOOLS HTTP HTTP_ADDITION HTTP_CACHE HTTP_DAV HTTP_FLV HTTP_GEOIP HTTP_GZIP_STATIC HTTP_IMAGE_FILTER HTTP_PERL HTTP_RANDOM_INDEX HTTP_REALIP HTTP_REWRITE HTTP_SECURE_LINK HTTP_SSL HTTP_STATUS HTTP_SUB HTTP_XSLT MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL WWW CACHE_PURGE CTPP2 ECHO HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_ACCESSKEY HTTP_AUTH_DIGEST HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_AUTH_REQ HTTP_DAV_EXT HTTP_EVAL HTTP_FANCYINDEX HTTP_GUNZIP_FILTER HTTP_MOGILEFS HTTP_NOTICE HTTP_PUSH HTTP_REDIS HTTP_RESPONSE HTTP_SUBS_FILTER HTTP_UPLOAD HTTP_UPLOAD_PROGRESS HTTP_UPSTREAM_FAIR HTTP_UPSTREAM_HASH HTTP_UPSTREAM_STICKY HTTP_ZIP ARRAYVAR CHUNKIN DRIZZLE ENCRYPTSESSION FORMINPUT GRIDFS ICONV LET LUA MEMC NAXSI PASSENGER POSTGRES RDS_CSV RDS_JSON REDIS2 RTMP SET_MISC SFLOW SLOWFS_CACHE SRCACHE SUPERVISORD SYSLOG_SUPPORT TCP_PROXY UDPLOG XRID_HEADER XSS VIDEO HTTP_MP4 HTTP_MP4_H264
OPTIONS_FILE_SET+=DEBUG
OPTIONS_FILE_SET+=DEBUGLOG
OPTIONS_FILE_SET+=FILE_AIO
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=GOOGLE_PERFTOOLS
OPTIONS_FILE_SET+=HTTP
OPTIONS_FILE_SET+=HTTP_ADDITION
OPTIONS_FILE_SET+=HTTP_CACHE
OPTIONS_FILE_UNSET+=HTTP_DAV
OPTIONS_FILE_SET+=HTTP_FLV
OPTIONS_FILE_SET+=HTTP_GEOIP
OPTIONS_FILE_SET+=HTTP_GZIP_STATIC
OPTIONS_FILE_SET+=HTTP_IMAGE_FILTER
OPTIONS_FILE_UNSET+=HTTP_PERL
OPTIONS_FILE_UNSET+=HTTP_RANDOM_INDEX
OPTIONS_FILE_SET+=HTTP_REALIP
OPTIONS_FILE_SET+=HTTP_REWRITE
OPTIONS_FILE_SET+=HTTP_SECURE_LINK
OPTIONS_FILE_SET+=HTTP_SSL
OPTIONS_FILE_SET+=HTTP_STATUS
OPTIONS_FILE_UNSET+=HTTP_SUB
OPTIONS_FILE_UNSET+=HTTP_XSLT
OPTIONS_FILE_UNSET+=MAIL
OPTIONS_FILE_UNSET+=MAIL_IMAP
OPTIONS_FILE_UNSET+=MAIL_POP3
OPTIONS_FILE_UNSET+=MAIL_SMTP
OPTIONS_FILE_UNSET+=MAIL_SSL
OPTIONS_FILE_SET+=WWW
OPTIONS_FILE_SET+=CACHE_PURGE
OPTIONS_FILE_UNSET+=CTPP2
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_SET+=HEADERS_MORE
OPTIONS_FILE_UNSET+=HTTP_ACCEPT_LANGUAGE
OPTIONS_FILE_SET+=HTTP_ACCESSKEY
OPTIONS_FILE_SET+=HTTP_AUTH_DIGEST
OPTIONS_FILE_SET+=HTTP_AUTH_LDAP
OPTIONS_FILE_SET+=HTTP_AUTH_PAM
OPTIONS_FILE_SET+=HTTP_AUTH_REQ
OPTIONS_FILE_UNSET+=HTTP_DAV_EXT
OPTIONS_FILE_SET+=HTTP_EVAL
OPTIONS_FILE_UNSET+=HTTP_FANCYINDEX
OPTIONS_FILE_SET+=HTTP_GUNZIP_FILTER
OPTIONS_FILE_UNSET+=HTTP_MOGILEFS
OPTIONS_FILE_UNSET+=HTTP_NOTICE
OPTIONS_FILE_SET+=HTTP_PUSH
OPTIONS_FILE_UNSET+=HTTP_REDIS
OPTIONS_FILE_SET+=HTTP_RESPONSE
OPTIONS_FILE_UNSET+=HTTP_SUBS_FILTER
OPTIONS_FILE_SET+=HTTP_UPLOAD
OPTIONS_FILE_SET+=HTTP_UPLOAD_PROGRESS
OPTIONS_FILE_SET+=HTTP_UPSTREAM_FAIR
OPTIONS_FILE_SET+=HTTP_UPSTREAM_HASH
OPTIONS_FILE_SET+=HTTP_UPSTREAM_STICKY
OPTIONS_FILE_SET+=HTTP_ZIP
OPTIONS_FILE_SET+=ARRAYVAR
OPTIONS_FILE_SET+=CHUNKIN
OPTIONS_FILE_UNSET+=DRIZZLE
OPTIONS_FILE_SET+=ENCRYPTSESSION
OPTIONS_FILE_SET+=FORMINPUT
OPTIONS_FILE_UNSET+=GRIDFS
OPTIONS_FILE_SET+=ICONV
OPTIONS_FILE_UNSET+=LET
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_SET+=MEMC
OPTIONS_FILE_UNSET+=NAXSI
OPTIONS_FILE_UNSET+=PASSENGER
OPTIONS_FILE_UNSET+=POSTGRES
OPTIONS_FILE_UNSET+=RDS_CSV
OPTIONS_FILE_UNSET+=RDS_JSON
OPTIONS_FILE_UNSET+=REDIS2
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_SET+=SET_MISC
OPTIONS_FILE_SET+=SFLOW
OPTIONS_FILE_SET+=SLOWFS_CACHE
OPTIONS_FILE_SET+=SRCACHE
OPTIONS_FILE_UNSET+=SUPERVISORD
OPTIONS_FILE_UNSET+=SYSLOG_SUPPORT
OPTIONS_FILE_SET+=TCP_PROXY
OPTIONS_FILE_UNSET+=UDPLOG
OPTIONS_FILE_SET+=XRID_HEADER
OPTIONS_FILE_SET+=XSS
OPTIONS_FILE_UNSET+=VIDEO
OPTIONS_FILE_UNSET+=HTTP_MP4
OPTIONS_FILE_UNSET+=HTTP_MP4_H264

Thanks,
Matt

Beeblebrox · Nov 30, 2012

Not going to happen in nginx:
http://wiki.nginx.org/Talk:NginxFeatureRequests

Further Explanation:

Q: When will nginx have .htaccess-like functionality from Apache?
Answer: Never
Why: Give additional examples why this is needed? In PHP 5.3, this is built-in, not to mention using htscanner from PECL. Major lacking thing is allowing users to define their own protected directories. Server-level configuration is not very friendly for that.

Nginx seems to have very fast development and it would probably be worth your time to read the documentation (and different authentication types available).

Morte · Nov 30, 2012

bmimatt said:
I have been hitting my head against the wall of protecting directories with user/pass as I would using .htaccess/.htapsswd with Apache.

Are you having problems password protecting directories, or doing it the way Apache does it? It's built into the Nginx http module, you just need to add an auth_basic and auth_basic_user_file to a location directive. If you mean, can you have .htpasswd files strewn all over the system that are automatically picked up? As Beeblebrox says, Nginx doesn't do it that way.

bmimatt · Nov 30, 2012

Hi,

I guess a clarification is in order.
I do not care about Apache-style .htaccess files per se. I need to password protect some directories and the procedure described here: http://wiki.nginx.org/HttpAuthBasicModule simply does not work for me.

I do have a working .htpasswd (created with Apache's htpasswd util), the path specified with 'auth_basic_user_file' is correct, yet no dice.

Also, this is not my first install of nginx and I had no such problems with the previous ones - the config directives are the same in both working and non-working configs. The working ones are several version points older though.

Here's what I have (domain name anonymized):

Code:

location ^~ /admin/ {
     auth_basic "Please Login";
     auth_basic_user_file /export/www/domain.tld/.htpasswd-adm;
 }

Cheers,
Matt

Morte · Nov 30, 2012

That looks correct to me. I'd try to return a 403 in that block and confirm that the location directive is catching it properly. Also check the file permissions on .htpasswd-adm. The nginx worker process needs permission to read this file. I'm not sure if that directory is a webroot or where your just keeping the config, but if it's in the website root nginx will serve it up which could be a security problem. You may want to move it out of the path or ensure nginx refuses to serve it up if that's the case or you haven't already done so.

bmimatt · Dec 1, 2012

I've solved it. It turns out that the location in question needed root, even though the same root has already been defined in the enclosing server scope.

Here's the final working block, in case someone runs into similar issues:

Code:

 location ^~ /admin/ {
        auth_basic "Please Login";
        auth_basic_user_file /export/www/domain.tld/.htpasswd-adm;
	root /export/www/domain.tld/html;
	include php.conf;
 }

Thank you guys for your insight.

Cheers,
Matt

nginx - htpasswd

bmimatt

Beeblebrox

Morte

bmimatt

Morte

bmimatt