LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 03-15-2019, 03:48 AM   #1
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Rep: Reputation: Disabled
.htaccess Authentication in Nginx works only on root folder and no other page


I've got an nginx server on which I've added a .htaccess password access. The relevant portion of the nginx.conf is below. When I try to access http://serverip, it throws up the login password page, as it should. Putting in the wrong password throws up an access denied page. But if I directly access any other url, for example: http://serverip/page.html, it does not restrict access. The password field comes up but I can sort of cancel it and access the page.

.htaccess is placed in the html folder where all the files are.
.htpasswd is placed in the conf folder.

Can anyone point out what I'm doing wrong?

Code:
location / {
#			types {
#				application/xslt+xml xsl;
#				}
			root html;
			index index.html index.htm index.php index.cgi;
			autoindex on;
			autoindex_exact_size off;
			autoindex_format html;
			autoindex_localtime on;
			auth_basic "Restricted Content";
	        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

		}
 
Old 03-15-2019, 09:15 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,410

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
The password field comes up but I can sort of cancel it and access the page.
Please explain what you mean by "sort of cancel"...
Are you sure that you close and re-open you browser before testing?
 
Old 03-15-2019, 10:52 AM   #3
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
Please explain what you mean by "sort of cancel"...
Are you sure that you close and re-open you browser before testing?
I mean I get the login/password box with the option to "Log In" or "Cancel". I can cancel and still access the page.
This happens even in an entirely different browser which I have never used to access that particular site.
I've attached a couple of screenshots. For the index page, I get the 401 page if I click cancel. But not for the other pages.
Attached Thumbnails
Click image for larger version

Name:	index.JPG
Views:	11
Size:	16.6 KB
ID:	30122   Click image for larger version

Name:	Authentication box.JPG
Views:	10
Size:	20.0 KB
ID:	30123  
 
Old 03-15-2019, 11:31 AM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,579

Rep: Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878
Quote:
Originally Posted by regstuff View Post
I mean I get the login/password box with the option to "Log In" or "Cancel". I can cancel and still access the page.
This happens even in an entirely different browser which I have never used to access that particular site.
I've attached a couple of screenshots. For the index page, I get the 401 page if I click cancel. But not for the other pages.
Typically, once you satisfy the authentication it will persist in the browser until all instances of that browser are closed. This is a client- (browser-) side thing and not related to the web server.

So, please confirm that
1. You log in
2. You close all instances of the browser
3. You start the browser again
4. You are NOT required to log in again when accessing an "other page"
Is that what's happening?
 
Old 03-16-2019, 02:21 AM   #5
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
Typically, once you satisfy the authentication it will persist in the browser until all instances of that browser are closed. This is a client- (browser-) side thing and not related to the web server.

So, please confirm that
1. You log in
2. You close all instances of the browser
3. You start the browser again
4. You are NOT required to log in again when accessing an "other page"
Is that what's happening?
No that's not what's happening. This is the workflow:
1. I open a browser, which has never been used to access the site.
2. I enter the url http://serverip/somepage.html directly in the browser
3. Authentication box shows up with two buttons: Log In & Cancel.
4. I click Cancel and the page still loads, though I do not want it too under such a circumstance. I want it to throw a 401 error if the user doesnt supply a login & pass or supplies the wrong password.
 
Old 03-16-2019, 04:22 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,410

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Originally Posted by regstuff View Post
No that's not what's happening. This is the workflow:
1. I open a browser, which has never been used to access the site.
2. I enter the url http://serverip/somepage.html directly in the browser
3. Authentication box shows up with two buttons: Log In & Cancel.
4. I click Cancel and the page still loads, though I do not want it too under such a circumstance. I want it to throw a 401 error if the user doesnt supply a login & pass or supplies the wrong password.
What browser are you using? MS Edge?
Because the 2nd screenshot doesn't look familiar.
Did you try firefox, or chrome?
 
Old 03-16-2019, 04:46 AM   #7
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
What browser are you using? MS Edge?
Because the 2nd screenshot doesn't look familiar.
Did you try firefox, or chrome?
This is Chrome on Windows 10. Version 61.0.3163.100 (Official Build) (64-bit)
Firefox also does the same thing. Should I post a screenshot of that?
 
Old 03-16-2019, 05:34 AM   #8
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,062
Blog Entries: 7

Rep: Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793
Quote:
Originally Posted by regstuff View Post
Code:
location / {
			root html;
			index index.html index.htm index.php index.cgi;
			autoindex on;
			autoindex_exact_size off;
			autoindex_format html;
			autoindex_localtime on;
			auth_basic "Restricted Content";
	        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;
		}
ok first of all i was thrown off by your usage of .htaccess, which is a file name usually associated with apache, not nginx.
it doesn't really matter how you call the file containing the passwords, but obviously it should NOT reside under your html root.
since we cannot find a straight answer to your problem, you need to play with the config.
imo there's too much stuff.
do you need the autoindeces? try commenting them out.
what is "root heml;" supposed to do?
try commenting it out.

remeber that you have to restart nginx every time you change the configuration!!!

fwiw, i have a restricted area and the config looks like this:
Code:
location /restricted {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/auth/something;
    index index.php index.html;
}
that's all.
 
Old 03-16-2019, 07:06 AM   #9
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
I've cut it down to this but the behaviour is still the same after restarting nginx.

Code:
		location / {
			index index.html index.htm index.php index.cgi;
			auth_basic "Restricted Content";
	        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

		}
If it helps debug, below is the full config for the http section. There's a bit more in the config file relevant to the NGINX-rtmp module, which I have not included here.

Code:
http {
    access_log 		logs/http_access.log;
    include       	mime.types;
    default_type  	application/octet-stream;
    sendfile        	on;
    keepalive_timeout  	65;
		
    server {
        listen		80;
        server_name	localhost;

        # rtmp statistics
        location /stat {
            rtmp_stat all;
            rtmp_stat_stylesheet stat.xsl;
            allow 127.0.0.1;
        }
		
        location /stat.xsl {
            root html;			
        }
		
	#HLS Segment
        location /live {
		types {
			application/vnd.apple.mpegurl m3u8;
			video/mp2t ts;
		}
		alias /usr/local/nginx/html/hls;
		add_header Cache-Control no-cache;
	}
		
		location / {
			index index.html index.htm index.php index.cgi;
			auth_basic "Restricted Content";
	        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

		}

	 location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
		}


        # rtmp control
        location /control {
            rtmp_control all;
		# Enable CORS
        add_header Access-Control-Allow-Origin * always;

        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}
 
Old 03-16-2019, 11:53 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,410

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Originally Posted by regstuff View Post
This is Chrome on Windows 10. Version 61.0.3163.100 (Official Build) (64-bit)
Firefox also does the same thing. Should I post a screenshot of that?
What happens if you use a command line browser like links (or lynx)?
 
Old 03-17-2019, 02:35 AM   #11
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
What happens if you use a command line browser like links (or lynx)?
Using w3m http://serverip gives me a prompt at the bottom 'Username for Restricted Content:' and then a 'Password for Restricted Content:'
If the authentication is wrong it gives a 401 page.

Using w3m http://serverip/page.html goes directly to the page without any prompt and opens the page.
 
Old 03-17-2019, 05:16 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,410

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Originally Posted by regstuff View Post
Using w3m http://serverip gives me a prompt at the bottom 'Username for Restricted Content:' and then a 'Password for Restricted Content:'
If the authentication is wrong it gives a 401 page.

Using w3m http://serverip/page.html goes directly to the page without any prompt and opens the page.
D'oh, try the following and see if it helps:
Code:
location ^~ / {
   index index.html index.htm index.php index.cgi;
   auth_basic "Restricted Content";
   auh_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
 
Old 03-17-2019, 01:55 PM   #13
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,062
Blog Entries: 7

Rep: Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793Reputation: 2793
bathory, what does the '^~ /' do? how does that differ from '/'?

Quote:
Originally Posted by regstuff View Post
I've cut it down to this but the behaviour is still the same after restarting nginx.

Code:
		location / {
			index index.html index.htm index.php index.cgi;
			auth_basic "Restricted Content";
	        auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

		}
are you saying that you temporarily replaced the site config with only this, and restarted nginx?

are you also saying that the behaviour is the same with w3m? not sure i understood.

always make sure that your browser has destroyed all relevant cookies before trying again.
i just did that manually on my browser and it still allowed me to access the site without entering a password... the only thing that really helps, it would seem, is to tell your (mozilla) browser to delete cookies on shutdown.
although your problem sounds like a different one, but need to eliminate all possibilities regardless.
 
Old 03-17-2019, 04:14 PM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,410

Rep: Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727Reputation: 1727
Quote:
Originally Posted by ondoho View Post
bathory, what does the '^~ /' do? how does that differ from '/'?
You should take a look at the location directive
 
Old 03-18-2019, 02:51 AM   #15
regstuff
LQ Newbie
 
Registered: Oct 2018
Distribution: Ubuntu 16.04
Posts: 17

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
D'oh, try the following and see if it helps:
Code:
location ^~ / {
   index index.html index.htm index.php index.cgi;
   auth_basic "Restricted Content";
   auh_basic_user_file /usr/local/nginx/conf/.htpasswd;
}
Still not having any luck. Shows the same behavior as earlier.

Quote:
are you saying that you temporarily replaced the site config with only this, and restarted nginx?

are you also saying that the behaviour is the same with w3m? not sure i understood.

always make sure that your browser has destroyed all relevant cookies before trying again.
i just did that manually on my browser and it still allowed me to access the site without entering a password... the only thing that really helps, it would seem, is to tell your (mozilla) browser to delete cookies on shutdown.
although your problem sounds like a different one, but need to eliminate all possibilities regardless.
Yes I replaced my site config with this and restarted nginx. The behavior did not change.

Yes the behavior is the same even with w3m. Bathory had asked me to check with a command-line browser.

This is on a VM. It's just a basic webpage and does not set any cookies at all. I've checked the cookie list on the browser and even opened the site on a completely different PC, which was never used to access this page. Same behavior

If it helps, here's the website's ip. There's nothing sensitive here and I can change the ip tomorrow. And also edit this post to remove the ip.
Try opening http://********/ --> You should get the Login/pass prompt
Try opening http://********/*** --> You should be able to see it even without entering the login/pass. It's just a stats page.
Please note that https will not work, so please make sure the address is http.

Last edited by regstuff; 03-19-2019 at 01:42 AM. Reason: Removing ip as problem has been solved.
 
  


Reply

Tags
htaccess, nginx


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache htaccess RewriteRule to Nginx gubak Linux - Server 1 11-18-2015 02:47 AM
nginx + php-fpm and nginx modules fantasygoat Linux - Server 0 06-09-2011 12:21 PM
checkpassword only works as root, authentication with spamdyke, qmail dbj Linux - Server 1 10-15-2009 12:57 AM
Apache authentication (.htaccess) password reset page hattori.hanzo Linux - Newbie 0 11-05-2008 12:01 AM
RH & HP4050N PCL - page, pause, page, pause, page andguent Linux - Hardware 0 11-10-2003 08:35 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 01:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration