NGINX- Password authentication layer

Hey

So recently, I got a request for my flake registration system, asking how they can add password authentication onto the register page, so that only beta testers are able to register, since the CPPS was still in beta.

This is actually a very easy thing to set up and shouldn’t take long if you follow this guide step by step. Once setup, you would be able to navigate to the page you wanted restricted via authentication and it should prompt you with a username and password to enter, that you will create later in this tutorial.

lol

REQUIREMENTS:

  • You need to have Houdini installed and setup (AS2 or AS3), preferably running on Ubuntu/Debian.
  • NGINX as your running web-server.
  • Sudo permissions to install packages and to edit configuration files for your web-server
  • (OPTIONAL) A source-code editor like Visual Studio Code to edit the configuration files for nginx, if not then you should use nano, an editor in SSH that is arguably difficult to use, but fine if you know what you’re doing.

I’m aware that there are other ways of doing this, but this tutorial is for those who have no idea where to start and want a simple solution. I’m also aware that this is originally from this tutorial, however I decided to upload it on Solero and describe each step in detail so that you (even as a complete newbie) can understand what is happening and how it’s created.

Without further ado, let’s begin.

1. Install apache2-utils:

Run the following command through SSH (putty or macos/linux terminal)

sudo apt install apache2-utils

This command will install the htpasswd file that handles user authentication that we will implement on the web-page.

We then want to set this up.

2. Set a username for authentication.

You want to run this command. It will be the creation of the desired username and password you want to have to be able to view your registration or whatever web page you are restricting through authentication.

Replace the part where it says ro with the username you want to use for the authentication. It’s advised that you generate a random username too, don’t choose something related to the CPPS, this can reduce the chances of anyone getting in via authentication if they knew the password.

sudo htpasswd -c /etc/nginx/.htpasswd ro

So in my case, this would create the username ro which I would use to access the website. For you, it depends on what username you pick, make sure to note this down somewhere so that you don’t forget!

It will then prompt you to create a password, and of course, you should create a secure and random password that no one else would be able to guess. Be sure to retrieve a password from https://randomkeygen.com or if you’re going to make one yourself, you are responsible for how complex and strong it is. Be sure to note it down too!

3. Configuring nginx to have password authentication.

So, it really depends on what page you want to restrict, for example maybe you CPPS is in beta and you want to restrict your play page, or you want to restrict your manager as it’s for administrators only, or you want to restrict your register page.

Whatever it is, you need to know where the configuration for that subdomain is. Some people may have it as a sym link in sites-enabled, some people may have their configuration nginx.conf. Just depends on you.

For example, if it’s create.cpps.com it’s most likely the ‘create’ file in /etc/nginx/sites-available if you followed my CP External Register tutorial, it really depends what you named it, and if you are using sym links than nginx.conf. You’re the one who set it up (assumption) so you should know where the configuration file for the page you want is.

Some people name their configuration files after their actual subdomains so you’d find them in e.g. /etc/nginx/sites-available/create.cpps.com.

What you don’t want to do is directly edit sites-enabled, because that’s a sym link, every time you make an update to your web-server configuration you gotta delete the old sym link in sites-enabled and create the new one using your new configuration in sites-available.

Anyway, go to your nginx configuration file, for this example i’ll just pretend I have a register that uses a nginx configuration file called ‘create’ in /etc/nginx/sites-available, since I already set up this register the file is already a sym link in /etc/nginx/sites-enabled, just without password authentication since we haven’t added it yet. If you’re using nginx.conf for your configuration, just edit nginx.conf and find the block which handles the sub domain you want password authentication on.

We need to edit it, so you want to either over FTP or SCP transfer the file and edit using visual studio code, or through SSH type:

sudo nano /etc/nginx/sites-available/create

You would replace ‘create’ with whatever the file name of your nginx configuration is called.

Once you are in, you should find the configuration for specifically THAT sub domain, make sure it’s the right one. In terms of my example, I would make sure the server_name is pointing to create.cpps.com if my register page was on create.cpps.com.

Once you made sure you’re in the right file, you want to scroll down to the part where it says:

location / {

You then want to add the following lines underneath this block, AKA underneath that line.

auth_basic “Restricted Access”;
auth_basic_user_file /etc/nginx/.htpasswd;

This will restrict the page to prompt username and password authentication, before they can view the site.

Once you added this, you want to save the file. If you used SCP or FTP to get the file, and used a source code editor to edit it, you want to just save the file then reupload it to /etc/nginx/sites-available.

OR

If you edited this using nano, you want to hit the following keys on your keyboard:

CTRL + x

It will then ask you if you want to save it, with Y/N, just enter Y.

Then it will ask the file name to write to, it should show the directory and filename by default aka where the file already is so just click enter. If it’s not showing it by default, make sure you save it in the correct place (sites-available folder)

Then hit enter.

Now, if you were using nginx.conf then you are all good, you just have to skip this next bit about sym-links, go to the part about testing and restarting nginx.

However for those using sites-available/sites-enabled, enjoy the next few steps, if you get stuck feel free to ask as this is understandably a little complicated compared to the other steps.

4. UPDATING YOUR SYM-LINKS:

So, you got your current sym link in sites-enabled, in my case/for my example I had the ‘create’ sym link in /etc/nginx/sites-enabled/create which represents my registration without any password authentication.

We just created a new configuration file with password authentication and it’s in /etc/nginx/sites-available/create, we need to remove the original register page that has no password authentication, so you would want to execute the command:

sudo rm -rf /etc/nginx/sites-enabled/create

Obviously, replace create with whatever file name your nginx configuration is called. Make sure there is no sym links in sites-enabled that represent your play page.

Now you want to add your new nginx configuration file as a sym link to sites-enabled, to do this we can execute the command:

sudo ln -s /etc/nginx/sites-available/create /etc/nginx/sites-enabled

Essentially what this does is update our nginx configuration, adds the new ‘create’ configuration file as a sym link to sites-enabled.

5. Testing and reloading nginx

After making sure your nginx configuration is updated, you want to try executing the command:

sudo nginx -t

This will test the web-servers configuration, any errors found will be returned, if you get any, try googling them, if you can’t find anything, feel free to ask us in Solero’s discord.

If you get no errors, it’s safe to assume that you have successfully implemented password authentication, or potentially you didn’t update your sym links properly so it’s NOT reading anything new, just your old configuration.

Either way, try executing:

sudo service nginx reload

Then try visiting the page you adding password authentication to. In my case it would be create.cpps.com, if it worked properly you would be prompted with a username and password like shown:

lol

You saved this earlier (hopefully), be sure to enter these details and test the functionality of the password authentication.

If you have completely forgotten the username, no need to worry. You can execute this command to find out the username, but not the password as it’s hashed.

cat /etc/nginx/.htpasswd

It will return something like:

ro:$apr1sdfsdf4435sdtskLfWmmg1sfdsdgg4

The text before the : is ro being the username that I chose for it, and the text after the : is the password which is hashed and so is not able to be read by us. If you forgotten your password, you could just create a new user using the command that we used above to create a user.

Hopefully this should work for you, any issues, feel free to let me know or join Solero’s discord to find some support.

NOTE: Please don’t try to add password authentication onto your media server sub domains so that people can’t view your mediaserver files, it doesn’t work as i’ve tested it before.

Any mistakes I made, let me know.

~ ro