Password protecting admin.php with nginx ?

Mouth

Mouth

Well-known member
I can see how to password protect a whole directory vai nginx config, but haven't - despite multiple google attempts - found how to do it with a single file. I want to password protect admin.php, just for an additional layer of protection and slow/halt bot brute force attacks.

Can anyone advise the nginx config to password protect admin.php please?
 
This is mine (and it's placed right above the Location / directive).
Code: 
location = /admin.php {
    auth_basic "Serving Linux  Administrator Login";
    auth_basic_user_file /etc/phpmyadmin/you.wish.pass.word;
    try_files $uri =404;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME
    $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    }
 
I can't use the code above with https so I'm using this:

Code: 
location ~/admin\.php$ {
        auth_basic "Staff Only";
        auth_basic_user_file /my/htpasswd/location;
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param HTTPS on;
        fastcgi_param HTTP_SCHEME https;
        include fastcgi_params;
    }
 
Yep.. since I don't use https (not going to pay for a certificate since nothing I do needs to be "secure" since the sites are totally free to use) it's a straight http related segment.
It's just a level of complexity that I don't see the need of for any of my sites.
I can't justify $200-800 a year for wildcard certificates for the 7 forums I have set up.
 
Tracy Perry said:
Yep.. since I don't use https (not going to pay for a certificate since nothing I do needs to be "secure" since the sites are totally free to use) it's a straight http related segment.
It's just a level of complexity that I don't see the need of for any of my sites.
Click to expand...
Well I'm developing some kind of paygate using local paygate (iPaymu API) so I need to test how it works on https :D

and I'm stuck :(
 
Sheratan said:
Well I'm developing some kind of paygate using local paygate (iPaymu API) so I need to test how it works on https :D

and I'm stuck :(
Click to expand...
I already decided... when my hobby got to the point it was costing me more than $425 a month I was going to do some serious scaling back. Really don't need a server just for one forum (that only has a few users). Got it because I wanted to learn how to deal with them from remote. I could get away with having all forums on one server alone and not even tax it.
 
Tracy Perry said:
This is mine (and it's placed right above the Location / directive).
Code: 
location = /admin.php {
    auth_basic "Serving Linux  Administrator Login";
    auth_basic_user_file /etc/phpmyadmin/you.wish.pass.word;
    try_files $uri =404;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME
    $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    }
Click to expand...
You just showed to a hacker a possible way to exploit your server. :)
Here it is the secure way to process PHP files with Nginx.

I see everyone keeps on adding the fastcgi_index to their configuration... are you guys reading the Nginx documentation? :giggle:
Tracy Perry said:
I can't justify $200-800 a year for wildcard certificates for the 7 forums I have set up.
Click to expand...
I think you can get it for cheaper... @digitalpoint paid $80/year for a wildcard. I only need a certificate so I got one for $36, for 5 years. I recently paid another $36 for a 5 years extension.
 
Last edited:
Floren said:
You just showed to a hacker a possible way to exploit your server. :)
Here it is the secure way to process PHP files with Nginx.
I see everyone keeps on adding the fastcgi_index to their configuration... are you guys reading the Nginx documentation? :giggle:
Click to expand...
yeah, and for some reason the ONLY way it would work was when I did.
And if you are referring to the path/name to the password.. bang away, because I promise you that's not the right one. :p

I think you can get it for cheaper... @digitalpoint paid $80/year for a wildcard. I only need a certificate so I got one for $36, for 5 years. I recently paid another $36 for a 5 years extension.
Click to expand...
That's still $560 a year that I really don't need to spend. I perform no business transactions over the site and do not charge subscriptions or have "protected content". I'll use that money for gas for the track on the bike. :cool:
 
Tracy Perry said:
yeah, and for some reason the ONLY way it would work was when I did.
Click to expand...
You are probably missing something small, don't get discouraged. The way you have configured your PHP location is very insecure (I'm not referring to the password protected locations like admin.php etc.).
Tracy Perry said:
And if you are referring to the path/name to the password.. bang away, because I promise you that's not the right one.
Click to expand...
I'm not. Start with the basic Nginx configuration I posted into tutorial, it should help you get organized and eliminate the errors you have now in your configuration. In case you wonder, fastcgi.conf is a default file available into Nginx source which for some reason many packagers do not include it in their RPM's... instead they use the incomplete fastcgi_params file.
 
Last edited:
Tracy Perry said:
I already decided... when my hobby got to the point it was costing me more than $425 a month I was going to do some serious scaling back. Really don't need a server just for one forum (that only has a few users). Got it because I wanted to learn how to deal with them from remote. I could get away with having all forums on one server alone and not even tax it.
Click to expand...
My server is a free server. A gift from my friend because I help him to build his game project. :D So it cost $ 0
I'm using a free SSL from StartSSL so.. another $ 0

And yeah, my forum is small, and no need for VPS. But I wanted to learn how to use and develpoing VPS too, so I asked my friend to give me a VPS instead of Shared. :D
 
Sheratan said:
My server is a free server. A gift from my friend because I help him to build his game project. :D So it cost $ 0
I'm using a free SSL from StartSSL so.. another $ 0

And yeah, my forum is small, and no need for VPS. But I wanted to learn how to use and develpoing VPS too, so I asked my friend to give me a VPS instead of Shared. :D
Click to expand...
Let's see... I have a VPS (actually 2) through RamNode, I have 3 dedicated servers from ServerComplete - and on one of those servers I have 4 VPS's configured - not to mention the servers at the house. :confused:
 
Floren said:
You are probably missing something small, don't get discouraged. The way you have configured your PHP location is very insecure (I'm not referring to the password protected locations like admin.php etc.).

I'm not. Start with the basic Nginx configuration I posted into tutorial, it should help you get organized and eliminate the errors you have now in your configuration. In case you wonder, fastcgi.conf is a default file available into Nginx source which for some reason many packagers do not include it in their RPM's... instead they use the incomplete fastcgi_params file.
Click to expand...
Did... and no matter what I do any link I click treats it as a download file. I got a sneaking suspicion (especially with the mention of RPM) that it plays a little different on Debian.
 
Floren said:
You are probably missing something small, don't get discouraged. The way you have configured your PHP location is very insecure (I'm not referring to the password protected locations like admin.php etc.).
Click to expand...
Utilizing the below seems to work (and appears to be similar to what you're example uses)

Code: 
location ~ \.php$ {
   try_files $uri =404;
   fastcgi_split_path_info ^(.+\.php)(/.+)$;
   include fastcgi_params;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   fastcgi_pass            127.0.0.1:9000;
   fastcgi_intercept_errors on;
   fastcgi_ignore_client_abort off;
   fastcgi_connect_timeout 60;
   fastcgi_send_timeout 180;
   fastcgi_read_timeout 180;
   fastcgi_busy_buffers_size 256k;
   fastcgi_temp_file_write_size 256k;
        }
And yes, I know I can set some of the fastcgi parameters in a separate file -but not all my forums use the same settings so it's easier for me to place them in the vhost config.
 
@Tracy Perry, you already use the fastcgi params with a file. I don't see nothing similar to my configuration (not to mention that there is no such thing as "similar" in Nginx) and half of the fastcgi settings you define into .php location should be either in http or server.

For example, variables like fastcgi_connect_timeout should be located into http, as they are global values. If you want to be specific, you can redefine it into server or even on a location, to change the global value (if different from defaults):
Code: 
http {
       ...
       # change timeout to 30 seconds, instead of default 60 seconds
       fastcgi_connect_timeout 30s;
       ...
       server {
              ...
              # change timeout to 2 minutes, instead of http 30 seconds
              fastcgi_connect_timeout 2m;
              ...
              location /alpha {
                     ...
                     # change timeout to 10 seconds, instead of server 2 minutes
                     fastcgi_connect_timeout 10s;
                     ...
              }
       ...
       }
}
Beside that, the default value for that variable is "60s" not "60"... Nginx does not use anymore integer values for time or size related variables. Since the variable has the default "60s", is useless to add it anywhere because you are just repeating what is already defined into Nginx.

The point was to help you get a better idea how the overall Nginx configuration structure works. It is probably my mistake to insist on having others create proper Nginx configurations. The fact is, I'm shocked to see how much wrong information is posted out there on Internet and simply trying to help others understand that. I hope you realize my remarks are meant to help you, not to produce criticism.
 
Last edited:
 
I completed further my previous post. For sure the information is limited, it will take me 100 tutorials to cover 10% of Nginx functionality. Books with hundreds of pages don't cover it either. The most important part you need to understand: there is no such thing of configuration settings working differently in Debian, CentOS, Ubuntu, etc. (OK there are 2 settings who are different, that's all). What you need to focus on is the logic behind it, not how to perform copy/paste operations.

Once you understand what you are doing, you will be amazed at the config files you had in the past. I actually opened an old configuration file and I was saying to myself: "Boy Floren, you actually did this, heh." :D
 
All the fastcgi is in the fastcgi_params and seems to be working. THAT was apparently what was missing earlier as it wasn't listed in either the vhost OR the fastcgi_param file (no, there is not a conf file - except for the php.conf that I created that had
Code: 
index index.php index.html index.htm;

location ~ \.php$ {
    try_files $uri =404;

  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  include /etc/nginx/fastcgi_params;


  fastcgi_param PATH_INFO       $fastcgi_path_info;
  fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
in it.
I'm off to bed... been up most of the night working on setting up a VPS for a person on one of my servers to help them out till they can find better hosting than who they are with (OVH). They are having some serious slowness problems.
 
Ya, there is no fastcgi.conf in Debian, yet Nginx provides this file. I think you have one or 2 new directives extra in fastcgi.conf file, don't remember exactly. Look at your file, I bet some of the fastcgi_param values are already defined so you double them for nothing. That was not my point, though... but you are intelligent and know what I mean. I hope my previous example will help you further understand how easy is to work with Nginx once you are done with the learning curve. :)
 
You must log in or register to reply here.

Similar threads

Robust
Securing admin.php with a password - nginx
Replies
4
Views
3K
Robust
Robust
DRE
KnownHost Server Configuration?
8 9 10
Replies
183
Views
21K
craigiri
craigiri
xIsabel38
Add-on Login Security
2
Replies
28
Views
7K
xIsabel38
xIsabel38
Top Bottom