1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password protecting admin.php with nginx ?

Discussion in 'Server Configuration and Hosting' started by Mouth, Jan 19, 2014.

  1. Mouth

    Mouth Well-Known Member

    I can see how to password protect a whole directory vai nginx config, but haven't - despite multiple google attempts - found how to do it with a single file. I want to password protect admin.php, just for an additional layer of protection and slow/halt bot brute force attacks.

    Can anyone advise the nginx config to password protect admin.php please?
     
  2. Tracy Perry

    Tracy Perry Well-Known Member

    This is mine (and it's placed right above the Location / directive).
    Code:
    location = /admin.php {
        auth_basic "Serving Linux  Administrator Login";
        auth_basic_user_file /etc/phpmyadmin/you.wish.pass.word;
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME
        $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
        }
     
    maszd likes this.
  3. Sheratan

    Sheratan Well-Known Member

    I can't use the code above with https so I'm using this:

    Code:
    location ~/admin\.php$ {
            auth_basic "Staff Only";
            auth_basic_user_file /my/htpasswd/location;
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param HTTPS on;
            fastcgi_param HTTP_SCHEME https;
            include fastcgi_params;
        }
    
     
    maszd likes this.
  4. Tracy Perry

    Tracy Perry Well-Known Member

    Yep.. since I don't use https (not going to pay for a certificate since nothing I do needs to be "secure" since the sites are totally free to use) it's a straight http related segment.
    It's just a level of complexity that I don't see the need of for any of my sites.
    I can't justify $200-800 a year for wildcard certificates for the 7 forums I have set up.
     
  5. Sheratan

    Sheratan Well-Known Member

    Well I'm developing some kind of paygate using local paygate (iPaymu API) so I need to test how it works on https :D

    and I'm stuck :(
     
  6. Tracy Perry

    Tracy Perry Well-Known Member

    I already decided... when my hobby got to the point it was costing me more than $425 a month I was going to do some serious scaling back. Really don't need a server just for one forum (that only has a few users). Got it because I wanted to learn how to deal with them from remote. I could get away with having all forums on one server alone and not even tax it.
     
  7. Floren

    Floren Well-Known Member

    You just showed to a hacker a possible way to exploit your server. :)
    Here it is the secure way to process PHP files with Nginx.

    I see everyone keeps on adding the fastcgi_index to their configuration... are you guys reading the Nginx documentation? :giggle:
    I think you can get it for cheaper... @digitalpoint paid $80/year for a wildcard. I only need a certificate so I got one for $36, for 5 years. I recently paid another $36 for a 5 years extension.
     
    Last edited: Jan 19, 2014
    CarlosMST, bortrenamo and SneakyDave like this.
  8. Tracy Perry

    Tracy Perry Well-Known Member

    yeah, and for some reason the ONLY way it would work was when I did.
    And if you are referring to the path/name to the password.. bang away, because I promise you that's not the right one. :p

    That's still $560 a year that I really don't need to spend. I perform no business transactions over the site and do not charge subscriptions or have "protected content". I'll use that money for gas for the track on the bike. :cool:
     
  9. Floren

    Floren Well-Known Member

    You are probably missing something small, don't get discouraged. The way you have configured your PHP location is very insecure (I'm not referring to the password protected locations like admin.php etc.).
    I'm not. Start with the basic Nginx configuration I posted into tutorial, it should help you get organized and eliminate the errors you have now in your configuration. In case you wonder, fastcgi.conf is a default file available into Nginx source which for some reason many packagers do not include it in their RPM's... instead they use the incomplete fastcgi_params file.
     
    Last edited: Jan 19, 2014
  10. Sheratan

    Sheratan Well-Known Member

    My server is a free server. A gift from my friend because I help him to build his game project. :D So it cost $ 0
    I'm using a free SSL from StartSSL so.. another $ 0

    And yeah, my forum is small, and no need for VPS. But I wanted to learn how to use and develpoing VPS too, so I asked my friend to give me a VPS instead of Shared. :D
     
  11. Tracy Perry

    Tracy Perry Well-Known Member

    Let's see... I have a VPS (actually 2) through RamNode, I have 3 dedicated servers from ServerComplete - and on one of those servers I have 4 VPS's configured - not to mention the servers at the house. :confused:
     
    Sheratan likes this.
  12. Tracy Perry

    Tracy Perry Well-Known Member

    Did... and no matter what I do any link I click treats it as a download file. I got a sneaking suspicion (especially with the mention of RPM) that it plays a little different on Debian.
     
  13. Tracy Perry

    Tracy Perry Well-Known Member

    Utilizing the below seems to work (and appears to be similar to what you're example uses)

    Code:
    location ~ \.php$ {
       try_files $uri =404;
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       include fastcgi_params;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_pass            127.0.0.1:9000;
       fastcgi_intercept_errors on;
       fastcgi_ignore_client_abort off;
       fastcgi_connect_timeout 60;
       fastcgi_send_timeout 180;
       fastcgi_read_timeout 180;
       fastcgi_busy_buffers_size 256k;
       fastcgi_temp_file_write_size 256k;
            }
    
    And yes, I know I can set some of the fastcgi parameters in a separate file -but not all my forums use the same settings so it's easier for me to place them in the vhost config.
     
  14. Floren

    Floren Well-Known Member

    @Tracy Perry, you already use the fastcgi params with a file. I don't see nothing similar to my configuration (not to mention that there is no such thing as "similar" in Nginx) and half of the fastcgi settings you define into .php location should be either in http or server.

    For example, variables like fastcgi_connect_timeout should be located into http, as they are global values. If you want to be specific, you can redefine it into server or even on a location, to change the global value (if different from defaults):
    Code:
    http {
           ...
           # change timeout to 30 seconds, instead of default 60 seconds
           fastcgi_connect_timeout 30s;
           ...
           server {
                  ...
                  # change timeout to 2 minutes, instead of http 30 seconds
                  fastcgi_connect_timeout 2m;
                  ...
                  location /alpha {
                         ...
                         # change timeout to 10 seconds, instead of server 2 minutes
                         fastcgi_connect_timeout 10s;
                         ...
                  }
           ...
           }
    }
    Beside that, the default value for that variable is "60s" not "60"... Nginx does not use anymore integer values for time or size related variables. Since the variable has the default "60s", is useless to add it anywhere because you are just repeating what is already defined into Nginx.

    The point was to help you get a better idea how the overall Nginx configuration structure works. It is probably my mistake to insist on having others create proper Nginx configurations. The fact is, I'm shocked to see how much wrong information is posted out there on Internet and simply trying to help others understand that. I hope you realize my remarks are meant to help you, not to produce criticism.
     
    Last edited: Jan 19, 2014
  15. Tracy Perry

    Tracy Perry Well-Known Member

  16. Floren

    Floren Well-Known Member

    I completed further my previous post. For sure the information is limited, it will take me 100 tutorials to cover 10% of Nginx functionality. Books with hundreds of pages don't cover it either. The most important part you need to understand: there is no such thing of configuration settings working differently in Debian, CentOS, Ubuntu, etc. (OK there are 2 settings who are different, that's all). What you need to focus on is the logic behind it, not how to perform copy/paste operations.

    Once you understand what you are doing, you will be amazed at the config files you had in the past. I actually opened an old configuration file and I was saying to myself: "Boy Floren, you actually did this, heh." :D
     
  17. Tracy Perry

    Tracy Perry Well-Known Member

    All the fastcgi is in the fastcgi_params and seems to be working. THAT was apparently what was missing earlier as it wasn't listed in either the vhost OR the fastcgi_param file (no, there is not a conf file - except for the php.conf that I created that had
    Code:
    index index.php index.html index.htm;
    
    location ~ \.php$ {
        try_files $uri =404;
    
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      include /etc/nginx/fastcgi_params;
    
    
      fastcgi_param PATH_INFO       $fastcgi_path_info;
      fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    in it.
    I'm off to bed... been up most of the night working on setting up a VPS for a person on one of my servers to help them out till they can find better hosting than who they are with (OVH). They are having some serious slowness problems.
     
  18. Floren

    Floren Well-Known Member

    Ya, there is no fastcgi.conf in Debian, yet Nginx provides this file. I think you have one or 2 new directives extra in fastcgi.conf file, don't remember exactly. Look at your file, I bet some of the fastcgi_param values are already defined so you double them for nothing. That was not my point, though... but you are intelligent and know what I mean. I hope my previous example will help you further understand how easy is to work with Nginx once you are done with the learning curve. :)
     
  19. Mouth

    Mouth Well-Known Member

    http://wiki.nginx.org/PHPFcgiExample
    .... doesn't say it's incomplete or inappropriate
     
  20. RoldanLT

    RoldanLT Well-Known Member

    I'm using https/ssl too not for secure content but just to enable and use SPDY :)
     

Share This Page