Don't Allow File Download Without htpasswd nginx

Question

I've successfully set up auth_basic on Nginx using an .htpasswd file. However, if someone guesses the file name, they can still download files with wget or simply using a browser by providing the URL, even though they haven't successfully logged in.

How can I prevent someone from downloading a file without logging in?

Here's my default-ssl config file in nginx:

root /var/www/html;
index index.html index.htm index.php;

ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

# /dir/dir w/basic auth
location ~ ^/(?P<mydir>.*)/$ {
    auth_basic              "Restricted";
    auth_basic_user_file    $document_root/$mydir/.htpasswd;
    autoindex on;
    allow all;
}
    # prevent listing of .htpasswd
    location ~ /\. {
            deny all;
    }

score 0 · Answer 1 · answered Jul 03 '13 at 19:36

0

I think cause you only secured the folder, but not the files, try removing the dollar sign to make it match all what's below the folder

location ~ ^/(?P<mydir>.*)/$ {}

to

location ~ ^/(?P<mydir>.*)/ {}

answered Jul 03 '13 at 19:36

Mohammad AbuShady

40,884
11
78
89

Don't Allow File Download Without htpasswd nginx

1 Answers1