Password protected Nginx routes

Image by Steve Buissinne from Pixabay

Image by Steve Buissinne from Pixabay

With Nginx, it's possible to limit access to certain routes by requiring authentication. When navigating to that webpage route, the user will be prompted by a browser popup asking for a valid username and password.

In this article, I will give a step-by-step guide on how to configure a quick and dirty route in Nginx secured by basic auth. on a Debian-based host.

Passsword file

The authentication will be verified against a file containing a username and a password hash. To create the file use the htpasswd tool, where you create a new password file containing the username stanley, and the associated password hash.

To use the htpasswd tool, you need to install the apache2-utils package that contains it.

sudo apt install apache2-utils

Once installed, you can use the htpasswd tool to create the password file.

sudo htpasswd -BcC 12 /etc/nginx/.htpasswd stanley
New password:
Re-type new password:
Adding password for user stanley

The password will be hashed using the bcrypt hashing algorithm performed 12 times. This hashing algorithm is a lot more secure than the default Apache-modified MD5 algorithm.

The password file will look something like this:


Create secret content

In this example, I created a folder containing a file with some silly PoC text.

sudo mkdir -p /var/www/
sudo echo "This is supersecret stuff!" > /var/www/
sudo chmod a+r /var/www/

The last line in the terminal dump above gives everyone on the system read permission to the test.txt file. In a real-world situation, you should instead change the ownership of the file to the nginx user.

Virtual Host config

When the password file and secret content were created the Nginx virtual host had to be configured.

sudo vim /etc/nginx/sites-available/
location /secret/ {
    alias /var/www/;
    auth_basic "Restricted Content";
    auth_basic_user_file /etc/nginx/.htpasswd;
    autoindex on;

The location /secret/ is the URL to the secret folder, with the actual file path described by the alias. The auth_basic variable is the name of the protected route, and the "autoindex on;" makes the content of the directory listable like in a file explorer.

Save and close the file, test the configuration, and restart Nginx to apply the changes.

sudo nginx -t
sudo systemctl restart nginx

Testing the route

Now that you have a password-protected route, you can access your files by navigating to the route to access the indexed directory. Here you will be prompted to enter your username and password. Once authenticated you will be presented with a folder-like view of your secret folder.

firefox http://haxor.test/secret

Congratulations, you now have a route secured by basic authentication 🎉