Raspberry Pi Home Server – Restrict the access to your sites using Nginx

When this site tutorials, I exclusively use Nginx. I find it powerful, Lightweight and simple configuration. Yet a point that I never approach it is the secure sites. We will try to address them today !

computer_laptop_keyboard_padlock

When Madam has concerns with its host, absences that increasingly often return, She asked me if we could do something. So I thought to take a new toy to install WordPress. I ordered my new Raspberry ft for sale chez Radio Spares et suis prêt à me lancer dans l’auto hébergement 🙂

Only this is, When we will implement its site or the web interface of his favorite tool, often once done it is happy with the result and it stops there. There is yet a milestone to not to neglect it is securing the site and access control.

Some tools like for example Raspcontrol for example integrates management of users. But others (transmission, rTorrent, etc.) are directly accessible. You can use two methods to restrict such access with Nginx.

At the outset, You can follow This tutorial to install Nginx with PHP support. Next we'll create 3 for our demonstration pages. Everything is done in /var/www :

  1. Create the file /etc/nginx/sites-enabled/tutorial with the following content :
    server {
    
       # We are working on which listen port 80;
    
       # Name of the server by Nginw server_name tutorial;
    
       # Root or root/var/www files;
    
       # Prohibit all access files. This is the or we will store logins/passwd rentals ~ .ht {
    
          deny all;
    
       }
    
       # What will be displayed if it generates a refusal of access (HTTP error 403)
    
       error_page 403 /refus.html;
    
       # That will be done at the base of the server (files in/var/www)
    
       location / {
    
          # By default it displays index.html index index.html;
    
       }
    
       # What will be done in the directory part1 rental /part1/ {
    
          # By default it displays index.html index index.html;
    
          # Access denied to the IP 192.168.1.10
    
          deny 192.168.1.1O;
    
          # All IP network 192.168.1.0 are authorized. Except the 192.168.1.10 Thanks to the previous rule.
    
          allow 192.168.1.0/24;
    
          # All other IP are denied deny all;
    
       }
    
       # What will be done in the directory part2 rental /part2/ {
    
          # By default it displays index.html index index.html;
    
          # Message to display when the login and the password auth_basic "Please identify";
    
          # Or is your login. The path is complete and related auth_basic_user_file / $document_root/part2/vos_users;
    
       }
    
    }
  2. Restart Nginx
    service nginx restart
  3. Create the file /var/www/index.html with the following content :
    <html>
    
    <body>
    
    This is the index.html page
    
    </body>
    
    </html>
  4. Create the file www/refus.html with the following contents /var/ :
    <html>
    
    <body>
    
    Access denied
    
    </body>
    
    </html>
  5. Create the directory/var/www/part1/and create the file index.html with the following content
    <html>
    
    <body>
    
    This is the /part1/index.html page
    
    </body>
    
    </html>
  6. Create the directory/var/www/part2/and create the file index.html with the following content
    <html>
    
    <body>
    
    This is the /part2/index.html page
    
    </body>
    
    </html>
  7. You now what to do the first tests

Restrict the access to certain IP

Nginx allows its configuration to filter the IP that will connect to the machine. The instructions to manage access rules are :

  • allow : allows the IP/network following to connect to the server
  • deny : refuses the network IP following to connect to the server

The values of these two parameters can be an IP v4, IP v6, a network mask or value CL. that opens or closes to all.

In our example, the IP 192.168.1.10 cannot connect to the part /part1. and will be redirected to the page refus.html (Thanks to the statement error_page). Then authorizing the 192.168.1.x network, and finally everything is forbidden.

As soon as your IP matches a rule, the control applies without taking into account the following rules. This is what allows to exclude the IP 192.168.1.10 network 192.168.1.0 which is open.

The deny all to close the door to everything that was not opened in the previous rules. Not a bad idea if it does not wish to make a public site.

Restrict the access with login and password

If the management of the IP is not what need you, Another solution is the classic login with password. Here Nginx can do for you. No need to switch by the PHP.

For this you use the instructions as in our example in the block that you are interested :

      auth_basic "Please identify";

      auth_basic_user_file/part2/vos_users;

These instructions will display a message to the user who tries to access the directory part2.

Capture_d_écran_29_05_13_21_48

The access control will be done by validating the data entered with the contents of the file in the parameter auth_basic_user_file, in our example the file /part2/vos_users. You should know that this file should not be in the protected directory but it must be accessible by the user www - data which is the one used by the Nginx Server. For example, you can secure it with :

chmod 640 /var/www/part2/vos_users
chown root:www - data/var/www/part2/vos_users

The contents of this file is a list of users that can connect with the associated password. The format is :

user:password

The password must be encoded with the crypt function. To add an entry, nothing easier ! You can run the following command to add the user pihome with the password raspi :

printf "pihome:$(OpenSSL passwd - crypt raspi)\n" >> /var/www/part2/vos_users

Capture_d_écran_29_05_13_22_22

You can find info on this subject on this page.

And management of PHP ?

For what is PHP, simply put the block that made the link to php - fpm inside one that handles your protected directory. If you put it outside, direct access to a PHP page can run.

This is for the protection of your servers, to you the opening to the world, l’accès avec votre téléphone sans être trop inquiet 🙂

You may also like...

  • vins987

    Good evening,

    Can you give an example of rutorrent please. I have viewing, with the NICKEL test!!! But I think rutorrent is with PHP (I think so).

    Thanks in advance!!

    Told your tutorial bcp help in my setup and my tests!!!

  • TEF

    Hello,

    I am trying to set up authentication by login/password for FreshRSS, but it refuses my login or my password.
    I don't have nginx error and the login window is displayed normally. I also tried with different passwords with and without encryption. No result.
    Here is my conf file:

    server {

    listen 8080;

    server_name FreshRSS;

    root/var/www/FreshRSS/public;

    index index.php index.html index.htm;

    auth_basic “Please identify”;

    auth_basic_user_file/var/www/requires an authentication;

    location ~ .php$ {

    fastcgi_pass unix:/var/run/PHP5-fpm.sock;

    fastcgi_index index.php;

    include fastcgi_params;

    }

    }

    If anyone knows what is happening…

  • TEF

    This is what I found peeling logs:

    2013/06/23 10:41:36 [error] 20600#0: *7 No. user/password was provided for basic authentication, client: 192.168.1.78, server: freshrss, request: “GET / HTTP/1.1”, host: “raspitef.no - ip.org:8080”

    So apparently it does not find my file containing the login/password?

    • It is possible that effectievement file cannot be accessed by the server that it generates this message

      • TEF

        I found where the error came from!

        After hours of searching in the doc of Nginx, It is finally on the side of the encoding of the password that it was necessary to find…
        To take your example, I have the add a backslash after the parenthesis and before the ' n’ :
        printf “pihome:$(OpenSSL passwd - crypt raspi)\n” >> /var/www/part2/vos_users

        see this page : http://wiki.nginx.org/Faq#How_do_I_generate_an_htpasswd_file_without_having_Apache_tools_installed.3F

        Voilà, good Sunday

        • Thanks this is corrected. I think that the old theme turned me character. Sinon le n seul n’a aucun sens 😉