I'm protecting my dev server using nginx and the auth_basic module, but I can't seem to find a way to specify the interval at which the 'authentication' expires.
I would like to be able to force nginx to ask for the password say every 6 hours. Is there a way to do that? If not, what is an acceptable workaround?
It's probably not possible. There doesn't seem to be any documentation on the nginx HttpAuthBasicModule page to suggest that you can timeout Basic HTTP authentication.
The HTTP specification for Authorization headers also does not specify a timeout mechanism. I don't expect you'll be able to rely on basic authentication if you need timeouts, unless you're also fronting a web application.
If you're fronting a web application, you could maintain a session in a cookie and time out the session after a period of inactivity. When the session timeout finishes, use your web application to send the following headers:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic Realm="MyApp"
That will prompt the browser to ask for credentials again. If you need access to the user's identity in your web application, you should find it in the REMOTE_USER CGI environment variable.
To serve static assets efficiently using this technique, XSendfile might be useful.
If you are still looking for solution to this issue, I believe HttpAuthDigestModule is what you are looking for.
I just found it today while surfing the Internet.
Here are the links:
http://wiki.nginx.org/HttpAuthDigestModule
https://github.com/samizdatco/nginx-http-auth-digest
Hopefully it helps you.
