I am trying to password protect a directory on my Nginx powered site that contains things like phpMyAdmin, MemcacheMyAdmin, and more admin utilities.
This directory is placed in the root of my site at:
domain.com/control/
The absolute path on my server is at:
/home/deployer/sites/domain.com/control/
I created a .htpasswd file in the directory by using this command:
htpasswd -c /home/deployer/sites/domain.com/control/.htpasswd admin
The file is present, owned by "root" user and is 0644 permissions.
In the .conf file for this domain within Nginx I use the following location block to require authentication.
location /control {
auth_basic "Restricted Area: Control";
auth_basic_user_file /home/deployer/sites/domain.com/control/.htpasswd;
}
When going to the password protected directory I'm prompted for a username and password. I enter my previously created credentials and I'm then presented with an error 403 forbidden page.
Access logs show me that I'm hitting the login prompt and then logging in as the "admin" user:
64.123.456.225 - - [12/May/2013:17:30:48 +0000] "GET /control HTTP/1.1" 401 597 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
64.123.456.225 - admin [12/May/2013:17:30:48 +0000] "GET /control HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
64.123.456.225 - admin [12/May/2013:17:30:59 +0000] "GET /control/memcache/ HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
The error logs show the following:
2013/05/12 17:31:01 [error] 30462#0: *1 directory index of "/home/deployer/sites/domain.com/control/memcache/" is forbidden, client: 64.123.456.225, server: domain.com, request: "GET /control/memcache/ HTTP/1.1", host: "domain.com"
2013/05/12 17:31:09 [error] 30462#0: *1 directory index of "/home/deployer/sites/domain.com/control/memcache/" is forbidden, client: 64.123.456.225, server: domain.com, request: "GET /control/memcache/ HTTP/1.1", host: "domain.com"
If I remove the Auth block for the Nginx .conf for that site I can then access the page like normal.
Thanks for any help!
Even though this question has its accepted answer, I still want to put another case that I have trouble with here so other people wouldn't need to struggle like me.
I got 403 with correct credentials too, the index file is not the case, the file existence is not the case neither and the config was this:
auth_basic "some message";
auth_basic_user_file /etc/nginx/.htpasswd;
The problem here is that /etc/nginx/.htpasswd
is an absolute path which actually points inside the same directory with nginx.conf
. It somehow confused nginx
to lookup the file. (By saying somehow, I don't fully understand how nginx
couldn't just handle this because it's quite obvious that the path is absolute and nginx
should just read it, so if anyone has a better explanation, please share by comments).
If I change it to:
auth_basic_user_file .htpasswd;
It worked because nginx
expected to find that file in the same directory with nginx.conf
.
Even if I change it to:
auth_basic_user_file /home/user/.htpasswd; #and move the file to /home/user too
It worked also because I think that the path didn't confuse nginx
.