Protecting Content on Linux: Password-Protecting with Nginx

Nowadays, in the digital world probably the most crucial thing is safety. There are lots of online risks that might be related to huge businesses as well as regular users. The security leakages can lead to huge consequences when talking about businesses and their sensitive information. In this article, we will discuss everything connected with password protection in Nginx.

Nginx is an extremely popular server software that can be used for caching, reverse proxy, and load balancing. This web server is a great variant for robust security, but there are a couple of additional approaches to make the system even more protected. For instance, you can set up a basic authentication.

We will discuss the most fundamental approaches for password-protecting with Nginx and specifically we will orient into the creation of a password file, installation of Apache Utils, and config of the server block. Also, you will get other additional recommendations so let’s dive into the process.

Basic User Authentication Setup

Prior to the discussion of the authentication setup, you should have:

-        Nginx server. Check whether Nginx is properly installed and functioning on the server. In case, you don’t have this software on the server, you can easily install it by following the usual guide in the Nginx doc.

-        Basic knowledge of Nginx. It is recommended to clearly understand the fundamentals of directives, server blocks, and generally Nginx config.

To protect the content on your Nginx server, you should better start with the setup of the authentication. This process includes several steps such as the creation of a password file, installation of Apache Utils, and configuration of the server block.

We highly recommend reviewing a couple of online courses so that you will get the basic skills within this process, by spending some time on certification, you can become a good expert in this field, and in the meanwhile, here are some crucial steps for proper password management.  

Apache Utilities Installation for Password Management

First, you need to identify whether all the needed tools are already installed on your server. Apache Utilities are needed for the generation of the password hashes.

To begin with, you should update the package manager of the system, by using the following command:

sudo apt update

After the update, start the installation of Apache Utils with the next line:

sudo apt install apache2-utils

The process of installation is as simple as one command and the necessary tool is ready for usage on your Nginx server.

Password File Creation

The password file is needed for the storage of the credentials for the authentication. The htpasswd utility will be used for the generation of the password hash. For the updating of the current file or creation of the new one, use the following line:

sudo htpasswd -c /.././…/.. name

In the above-mentioned command, you should change c /.././…/.. with the real info where you need to store the file, and name should be changed to the needed username.

Once this is done, you will need to enter/confirm the password, and then utility starts the generation of the password hash and adds it to the file.

One more thing to keep in mind, if you are not creating but updating the current file, then you will need to exclude -c flag.   

Nginx Server Block Configuration for Authentication

Now that we have already completed the file creation, let’s proceed to the configuration for authentication. To start this process, you need to enter Nginx config file in the editor like this:

sudo nano /etc/nginx/nginx.conf

Once in the file, you need to find the server block that is in the web directory you need to protect. As a rule, this block can be located in the server { ... } part. In this section, add the next characteristic:

location / {
   auth_basic "Restricted Access";
   auth_basic_user_file /.././…/..;
}

This section - /.././…/.. should be replaced with the actual path to the file creation which we have discussed in this article as well. When you have filled in all the details properly, then the users will see authentication where they will need to enter credentials.

One more thing to remember for the changes to be saved, you need to exit the editor and press the save button and after that restart Nginx by the following command:

sudo service nginx restart

The last important step to remember is to test if everything works properly by entering the website and inserting a username and password.

Advanced Authentication Options

The usage of the basic authentication practice is already beneficial for protection reasons, however, you can add more layers with the advanced options. The advanced variants for the authentication are considered to be more flexible and the most standard are external authentication system integration and custom login interface implementation.  

Custom Login Interface Implementation

Custom login interface implementation is a great option with the help of which you can create a more user-friendly experience by redirecting your users to the branded login page. The process will be almost the same as with the standard authentication, the users should validate their login/password.

To start this process, you need to actually create a custom HTML login form and after that, you will need to save the file dhdh.html (instead of this file you need to fill in the valid HTML login file) in the needed directory. The next step will be the update of the Nginx config by adding the following:

 location / {th
   error_page 401 =200 /​dhdh.html;
   auth_request /auth;
   auth_request_set $auth_status $upstream_status;
   error_page 403 =200 /​dhdh.html;
}
 
location = /auth {
   internal;
   proxy_pass http://localhost:8000/auth;  # Change to the authentication script endpoint
   proxy_pass_request_body off;
   proxy_set_header Content-Length "";
   proxy_set_header X-Original-URI $request_uri;
}

The authentication script can be written in any programming language of your choice including Python and PHP, it should verify the credentials and show 200 if the credentials are authorized and 401 in case they are not. Test whether the directory is accessible in the web browser.

External Authentication System Integration

For those who have already got an external authentication server, you can easily integrate with Nginx. This approach is extremely helpful for the centralized authentication and user management. When using this system integration, it becomes so much easier to scale across several apps.

Enter settings of Nginx and configure it as a reverse proxy so that the authentication requests will be redirected to the external server. After that it is required to update Nginx config by changing the server block as mentioned below:

location / {
   proxy_pass http://sdf;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Original-URI $request_uri;
}

Change http://sdf this address into the real external server URL. The external server should be appropriately configured in order to deal with incoming requests checking passwords/login, and showing the right responses. After the completion of the process, use the browser for the testing of the access.   

Key Considerations and Best Practices

Once, you have finished with the above-discussed strategies and testing of all the processes, you can protect your server even more and we will share a couple of helpful practices in this part of the article. Here, we will mention the key considerations that can significantly influence the protection of the data, and what is more importantly these practices are fairly easy as for the implementation.  

HTTPS Activation for Secure Connections

For the additional protection of sensitive information, it is crucial to implement encryption and TLS/SSL certificate. By following this practice, you can activate HTTPS for the more secure connections for those who try to enter protected directories.

Password Security Enhancement

To improve the security even more, you should inform the users about the choice of complex passwords and regular changing of the passwords in order to maximize protection. One more crucial factor is the security of the password file or external server, try to make sure that there won’t be any unauthorized accesses.

Access Monitoring and Logging

Monitoring of the logging attempts and tracking of the potential risks is highly important. Access tracking should be regular in order to get the maximum result and better protection. There are a diversity of automatic tools that can simplify the process.

Regular System Updates and Patches

Don’t neglect the updates of the software and regularly apply them to exclude all possible security vulnerabilities so that you can be sure of the security of your server.

Access Control Management

To add even more protection, you can blacklist or whitelist specific IP addresses so that only specific users can access the system. Such practice minimizes the risks of unauthorized access even more and control all the accesses.

User Education on Security

The security of all the processes is tightly connected with their awareness of all the consequences and risks that are connected with sharing of your credentials or not reacting to suspicious activity. That’s why users should be adequately educated about all the possible security concerns.

Conclusion

Just by following major practices that we have shared in this article; you can significantly improve the protection of content on your Linux server. Password protection is a key practice and when neglecting it you are increasing the chances of unauthorized access.