0

I'm having trouble protecting an entire domain with a password prompt. I need to do this with the server (like you can with .htaccess in Apache).

My website is hosted on DigitalOcean servers with the server provisioned by Laravel's Forge. The website itself is a Laravel application.

I have been reading and paying close attention to Matt Stauffer's post on password protecting an entire domain with Laravel Forge. I have followed these steps and I am being asked for a username and password. This is good. However when I enter what should be the correct username and password I am given the "403 Forbidden" Nginx page.

The username and password match the username and password on the .htpasswd file (I have set this file in the public directory of Laravel).

  1. The post by Matt Stauffer is dated 2014 and I am wondering have the details outlined in the post become outdated or more likely, am I missing something?
  2. Should the .htpasswd file be in the public directory of a Laravel application or outside of that?
  3. What is the correct encryption method for setting the password for a user in a .htpasswd file with Nginx v.1.11.9?

Below is a snippet from the current nginx settings:

    location / {
       try_files $uri $uri/ /index.php?$query_string;

       auth_basic            "Restricted Area";
       auth_basic_user_file  /home/forge/sitename.com/.htpasswd;
    }

Thanks in advance for any help!

Gavin

Gavin Kemp
  • 461
  • 6
  • 11

1 Answers1

1

The file can be stored anywhere, really. I recommend not putting it anywhere that's accessible online, though. Typically, I end up putting it in e.g. /etc/nginx/.htpasswd.

The lines should not be in the location block but rather in the server block if you want to protect the entire thing. Like this:

... stuff

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;

# FORGE CONFIG (DOT NOT REMOVE!)
... more stuff

The file should consist of a single line for each authenticated user, where each line is in the format username:encrypted-password. There are many ways of generating the .htpasswd, I usually just google for something, e.g. http://www.htaccesstools.com/htpasswd-generator/

You could also create it through e.g. the htpasswd utility, but that's part of an Apache server package so it makes little sense to install it when you're using nginx.

Joel Hinz
  • 24,719
  • 6
  • 62
  • 75
  • Thanks for your help Joel. I used that link above to generate a password and it worked. Other .htpasswd, password generators appear to be throwing the nginx server for whatever reason. Possibly it could be outdated algorithms being used on other sites, although I can't be sure. – Gavin Kemp Apr 21 '17 at 15:36