403 forbidden - Nginx - using correct credentials

Question

I am trying to password protect a directory on my Nginx powered site that contains things like phpMyAdmin, MemcacheMyAdmin, and more admin utilities.

This directory is placed in the root of my site at:

domain.com/control/

The absolute path on my server is at:

/home/deployer/sites/domain.com/control/

I created a .htpasswd file in the directory by using this command:

htpasswd -c /home/deployer/sites/domain.com/control/.htpasswd admin

The file is present, owned by "root" user and is 0644 permissions.

In the .conf file for this domain within Nginx I use the following location block to require authentication.

  location /control {
    auth_basic            "Restricted Area: Control";
    auth_basic_user_file  /home/deployer/sites/domain.com/control/.htpasswd;
  }

When going to the password protected directory I'm prompted for a username and password. I enter my previously created credentials and I'm then presented with an error 403 forbidden page.

Access logs show me that I'm hitting the login prompt and then logging in as the "admin" user:

64.123.456.225 - - [12/May/2013:17:30:48 +0000] "GET /control HTTP/1.1" 401 597 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
64.123.456.225 - admin [12/May/2013:17:30:48 +0000] "GET /control HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"
64.123.456.225 - admin [12/May/2013:17:30:59 +0000] "GET /control/memcache/ HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"

The error logs show the following:

2013/05/12 17:31:01 [error] 30462#0: *1 directory index of "/home/deployer/sites/domain.com/control/memcache/" is forbidden, client: 64.123.456.225, server: domain.com, request: "GET /control/memcache/ HTTP/1.1", host: "domain.com"
2013/05/12 17:31:09 [error] 30462#0: *1 directory index of "/home/deployer/sites/domain.com/control/memcache/" is forbidden, client: 64.123.456.225, server: domain.com, request: "GET /control/memcache/ HTTP/1.1", host: "domain.com"

If I remove the Auth block for the Nginx .conf for that site I can then access the page like normal.

Thanks for any help!

Answer 1

If you are running NGINX in a dockerized environment, it helps putting the .htpasswd file in the same directory as the NGINX configuration file, default.conf

For example, assuming that I have my .htpasswd in /home/centos/nginx/conf (which is also a Docker volume):

/home/centos/nginx/conf
drwxr-xr-x. 2 centos centos   70 Sep 14 17:39 .
drwxr-xr-x. 3 centos centos   40 Sep 14 17:02 ..
-rw-r--r--. 1 centos centos 1409 Sep 14 17:39 default.conf
-rw-r--r--. 1 root   root     44 Sep 14 16:52 .htpasswd

Remember that you have to indicate the location in the NGINX container, not in your host machine.

In my case, the location of the configuration files in the container is:

   /etc/nginx/conf.d

which is a volume that matches my host directory

   /home/centos/nginx/conf

Therefore, the location you should specify in your default.conf file is the following, which is what NGINX sees:

   location / {
       auth_basic  "Administrato's area";
       auth_basic_user_file /etc/nginx/conf.d/.htpasswd;