Password lock site except for certain routes running nginx - nginx

We have a server we don't want Google to index or anyone else to get access to unless they have a password.
How can I directory lock the entire server except for very specific routes used by external scanning services?
For instance, example.com/test should output a response from the framework without blocking but any other URL should ask for a password to get any content response.
I know how to do this with Apache using .htpasswd, but I need to be able to do it on nginx while whitelisting a specific route.

This will enable /test/ to respond without needing any authentication and every other request will need authentication.
server {
auth_basic "Administrator Login";
auth_basic_user_file /var/www/static/.htpasswd;
location /test/ {
auth_basic off;
}
}

Like this:
server {
...
auth_basic "Enter password";
auth_basic_user_file path/to/htpasswd;
location /test/ {
auth_basic off;
}
}

Related

Nginx: protect all but one url

I have try a few examples but all return almost the same, I want to password protect everything after .com/, problem is there are no "static" files, the server is Tomcat with nginx, the app is build on play framework.
The whole idea is that everything has to be password protected except for one url.
.com/service/contact {has to be protected}
.com/categories/service/contact {protected}
.com/service/jp/ {protected}
.com/service/jp/allo {Public not protected}
server {
...
auth_basic "Restricted Access"
auth_basic_user_file path_to_basic/password_protection
location ~^/service/jp/allo/ {
auth_basic off;
allow all;
satisfy all;
try_files $uri $uri/ =404;
}
}
With that the first part is working which is to protect everything, but not the second part which to leave one url as public, in my case is returning a 404 error, not a custom 404 but an internal default 404.The url's are "virtal" no actual folder exist, the server is using rewrite for seo url.

NGINX unexpected behaviour with location directive and proxy_pass

I have a NGINX configuration file to serve a Website with static files and via a development Server.
static -> http://localhost:8080
dev webserver -> http://localhost:8080/dev
There are several other services which I bind to different location directives.
Here is a snipped of the configuration file.
...
upstream qgis {
server qgis-spcluster_server:80;
}
...
server {
listen 8080;
server_name localhost;
location / {
root /usr/share/nginx/html/build;
index index.html index.htm;
auth_basic "Zugangskontrolle";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /dev/ {
proxy_pass http://web_app/;
auth_basic "Zugangskontrolle";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /static/ {
proxy_pass http://web_app/static/;
}
location /qgis/ {
proxy_pass http://qgis/;
}
location /apex/ {
proxy_pass http://apex/apex/;
auth_basic "off";
}
...
Everything works as expected until i open the URL to get the static files. After that all other URLs leads to the static files.
http://localhost:8080/apex -> Apex Service
http://localhost:8080 -> static Website
http://localhost:8080/apex -> static Website
For me everything looks ok, but indeed something is not ok.
The Basic_Auth produce another unexpected behaviour.
http://localhost:8080 -> basic auth -> success -> static website
http://localhost:8080/apex -> basic auth -> it is not possible to get rid of the pop up
So in the moment I'm a little bit clueless how to solve this issue.
Please remove the trailing / from your location directives or provide / when you access them.
Nginx looks for the longest prefix match location. When you access http://localhost:8080/apex, it's routed to / because /apex/ is not the prefix of /apex
Documentation of location is here
I tried now several things, but nothing really worked well. So I decided to create a second server block for all location directives which are problematic with my current setup.
Probably this is not the best solution, because I have still no idea why I get these problems. But it works now and that counts for me.

HTTP Basic Auth with Nginx on a url that doesn't exist as a directory

Trying to use Nginx to password protect
mysite.com/admin
the thing is here that I'm using a web framework, and /admin is just another configured route in the system NOT a real directory
when I configured the site with:
location /admin {
auth_basic "Administrator Login";
auth_basic_user_file /usr/share/nginx/html/mysite.com/.htpasswd;
}
and generated the htpasswd file, when I try to access the /admin, I get presented with login prompt, and it works great. But now any time I access the path, I get a 404 Not Found from Nginx itself
Anything I should do differently?
Thanks!
and /admin is just another configured route
You can put configuration for that route in block like this
location /admin {
auth_basic "Administrator Login";
auth_basic_user_file /usr/share/nginx/html/mysite.com/.htpasswd;
.
<your route configuration>
.
}

docker-registry nginx rest api

I am trying to build a docker-registry server from source (not as a container) on Ubuntu 14.04.1. I was able to get most of the way there using the instructions found on digitalocean.
I am able to curl http://localhost:5000 and https://user:password#localhost:8000 with no problems
When I try to open a web browser to see hopefully more than just that, that is when the issues seem to happen.
Here is my docker-registry file in /etc/nginx/sites-available/:
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server 192.168.x.x:5000;
}
server {
listen 8000;
server_name docker-registry;
ssl on;
ssl_certificate /etc/nginx/ssl/docker-registry.crt;
ssl_certificate_key /etc/nginx/ssl/docker-registry.key;
proxy_set_header Host $http_host; # required for Docker client sake
X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
I have my docker registry stored locally in /var/docker-registry and ensured that it was readable by the www-data user. Why can I not see my images on the web browser?
If I tag an image and push it to my repository it works, I can see it in the web browser:
https://192.168.x.x:8000/v1/repositories/ubuntu-test/tags/latest
I see the following:
"5ba9dab47459d81c0037ca3836a368a4f8ce5050505ce89720e1fb8839ea048a"
When I try to get to:
https://192.168.x.x:8000/v1
Or:
https://192.168.x.x:8000/v1/repositories
Or:
https://192.168.x.x:8000/v1/images
I get a "not found" error
How would I be able to see everything in my /var/docker-registry folder (which is where these are stored....and yes, they are owned by the www-data user) through the web interface?
This is by design. Not only is there no reason one would implement the entire url path, but there are severe security implications with implementing it.
I'm assuming you don't have much experience with web programming. There is no directory '/v1/repositories'... etc. Instead, there is a program (in this case either Python or Ruby) that is listening for the url path and has logic built-in to determine what to do.
i.e. if url = /v1/_ping: return 'ok'

nginx redirect and basic auth woes

I have a service (Plack) which listens on http://myhost.com:5000
I want to password protect access to it with Basic Auth
When I set a server directive in the nginx conf file I get a conflict with Plack (can't bind to 0.0.0.0:5000 because it is use by Plack, and vice versa). So this brings me nowhere.
Then I enabled Basic Auth in the conf file with the location directive as :
server {
location / {
proxy_pass http://localhost:5000;
auth_basic "Restricted";
auth_basic_user_file /home/userx/.htpasswd;
}
}
which when nginx "/" is hit it redirects it to port 5000 and asks for username/password. But my app relies on the url including the port (http://myhost.com:5000/) to find the resources and the port is stripped off from the request, so what it ends up is a http://myhost.com and I get a 404 on all resources/css/images/javascripts etc. Tried various directives like port_redirection etc.
I tried URL rewriting with :
location / {
auth_basic "Restricted";
auth_basic_user_file /home/userx/.htpasswd;
rewrite ^/(.*) https://example.com/$1 permanent;
}
which gets the desired result (http://myhost.com:5000) and all resources are found but basic auth never kicks off so I never get a prompt asking for a username /password
As a final attempt it tried to protect the url with a direct
location http://localhost:5000 {
auth_basic "Restricted";
auth_basic_user_file /home/userx/.htpasswd;
}
but that did not work either.
Can someone help?

Resources