How to Password Protect Nginx with Basic Authentication
Тәжірибелік нұсқаулар және стиль
Learn how to use auth_basic to password protect your Nginx website or a directory with basic HTTP authentication.
Code snippets and more at tonyteaches.tech/basic-authen...
Check out my vlog channel @TonyFlorida
#nginx #basicauth
Пікірлер: 36
Nice tutorial, thanks. Looking forward seeing other authentication types from You!
@TonyTeachesTech
3 жыл бұрын
Awesome, thank you Eugene
Very nice and useful tutorial, as usual ! Thans a lot !
@TonyTeachesTech
2 жыл бұрын
You are welcome!
Great Tutorial. Thanks!
@TonyTeachesTech
2 жыл бұрын
You’re welcome!
Hello Tony, Thank you so much for your tutorial! I get one issue though and this would be: I am trying to set the server side protection for my Wordpress websites login page and I have a hard time to find the right directory. I did set up Wordpress with your tutorial on AWS EC2. There is also a comment on your video having the same issue as me.
Thank you, this is very cool and useful. I am adding fail2ban alongside my nginx basic auth config, perhaps you could do an update to this video or a tutorial on fail2ban.
How would this look in a case where you want a subdomain to be password protected instead of a location?
Hey Brother, I have exactly similar conf file, Just requirement is that when auth fails, it will have a json response, which i need to transfer back to client... Any idea?
nice video. but when you said apache my heart dropped
quick comment: can you just run 'service reload nginx' for the same effect? in case you have multiple sites and don't want a second of downtime... Just don't forget to run 'nginx -t' first, to test your configuration files, if there are no problems
@TonyTeachesTech
3 жыл бұрын
Oh yes, reload is many times a better option than restart!
Nice tutorial! Thanks for the tips. Just one question, if it wasn't "basic" what other security measures you could implement server side with that same structure? (not considering application side measures)
@TonyTeachesTech
3 жыл бұрын
In regards to server-level security, I'll have a full video on this topic next month so please stay tuned for that
@viniguerrero
3 жыл бұрын
@@TonyTeachesTech awesome, looking forward to it! Been using this with docker and yours was the only tutorial I was able to learn properly, thanks Tony!
What if I wanted to protect a port number + directory? e.g. instead of "location /admin..." something like " :9090/prometheus...." ?
@TonyTeachesTech
3 жыл бұрын
The same instructions in this tutorial will still apply. You can just change the port that the web server is listening on to 9090
Hi Tony, I have followed all your instructions, created the files in the right location, saved everything, restarted the server and nothing happened haha, no dialog box to enter a password and nothing is password protected. Any advice on how to troubleshoot the issue.
@TonyTeachesTech
3 жыл бұрын
I don't know. If you followed verbatim, it should work. When you restart nginx, you didn't get an error did you? Try nginx -t
hi, is there any way to change the login area? or make a custom login page?
@TonyTeachesTech
3 жыл бұрын
Not that I know of
How to achieve this on openlitespeed server? Also one more question offtopic but I would like your opinion.........So My question is which is better if I just simply hide the wp-admin page using plugin or use something like Fails2Ban service and put those attackers in JAIL who are trying to bruteforce the wp-admin page.
@TonyTeachesTech
3 жыл бұрын
Hi Manish. I'd have to research how to do this with OpenLiteSpeed... I'm not sure at this point. As for your question, I think a combination of changing the wp-admin URL in combination with Fail2Ban would be your best option. Why not implement both?
@dev_manish
3 жыл бұрын
@@TonyTeachesTech I am confused, If I just remove or change the URL, then wouldn't be redundant to use Fails2ban since the URL for page is already change , how would anyone brute force it.
@TonyTeachesTech
3 жыл бұрын
@@dev_manish I would not consider that redundant. Moving the URL does not mean that a hacker won't find it. You're just obscuring it by moving it. In case the hacker does find your URL, Fail2Ban will lock them out are a certain number of failed login.
@dev_manish
3 жыл бұрын
@@TonyTeachesTech Thanks Tony
As I know HTTP Basic Authentication system is literally insecure, cuz its cryptography algo is based on Base64 that as u know it's so easy to crack its hash, so I do NOT think anyone still uses this auth sys, it could be hacked so easily
great tutorial. only downside was you use mac and not linux on your laptop :(
@TonyTeachesTech
3 жыл бұрын
Maybe one day :)
it doesn't work as you explain before you need to prepare "admin area" ... bad tutorial incomplete, hide info, = dislike!
@TonyTeachesTech
3 жыл бұрын
Hi Carlos. If I understand you correctly, the admin area is just a sample page on my website that I'm using as a demonstration. There's not much to prepare here other than creating this page or if you already have a page on your website that you want to protect, simply use that page insteaed.
@salaopen-official
3 жыл бұрын
@@TonyTeachesTech thanks for the expaination
How do I made this for wp-login.php. I ´tried with location /wp-login.php { try_files $uri $uri/ =404; auth_basic "admin area"; auth_basic_user_file /etc/nginx/.htpasswd; } Doesn´t work
Hello, I was looking at your video channel. We may be helping a company that uses secure images to increase supply chain security and help cloud native development. Would you be willing to help try their software, make a video, and help show devs how to use their tools? This is not an offer, but just to start a conversation about your willingness to take on sponsorship. Please provide me with your email if you are interested. You'd have a chance to look at their technology and decide if it's the type of software that you'd be interested in covering in your channel.