Raspberry Pi Home Server – Restrict the access to your sites using Nginx

When this site tutorials, I exclusively use Nginx. I find it powerful, Lightweight and simple configuration. Yet a point that I never approach it is the secure sites. We will try to address them today !


When Madam has concerns with its host, absences that increasingly often return, She asked me if we could do something. So I thought to take a new toy to install WordPress. I ordered my new Raspberry ft for sale chez Radio Spares et suis prêt à me lancer dans l’auto hébergement 🙂

Only this is, When we will implement its site or the web interface of his favorite tool, often once done it is happy with the result and it stops there. There is yet a milestone to not to neglect it is securing the site and access control.

Some tools like for example Raspcontrol for example integrates management of users. But others (transmission, rTorrent, etc.) are directly accessible. You can use two methods to restrict such access with Nginx.

At the outset, You can follow This tutorial to install Nginx with PHP support. Next we'll create 3 for our demonstration pages. Everything is done in /var/www :

  1. Create the file /etc/nginx/sites-enabled/tutorial with the following content :
    server {
       # We are working on which listen port 80;
       # Name of the server by Nginw server_name tutorial;
       # Root or root/var/www files;
       # Prohibit all access files. This is the or we will store logins/passwd rentals ~ .ht {
          deny all;
       # What will be displayed if it generates a refusal of access (HTTP error 403)
       error_page 403 /refus.html;
       # That will be done at the base of the server (files in/var/www)
       location / {
          # By default it displays index.html index index.html;
       # What will be done in the directory part1 rental /part1/ {
          # By default it displays index.html index index.html;
          # Access denied to the IP
          # All IP network are authorized. Except the Thanks to the previous rule.
          # All other IP are denied deny all;
       # What will be done in the directory part2 rental /part2/ {
          # By default it displays index.html index index.html;
          # Message to display when the login and the password auth_basic "Please identify";
          # Or is your login. The path is complete and related auth_basic_user_file / $document_root/part2/vos_users;
  2. Restart Nginx
    service nginx restart
  3. Create the file /var/www/index.html with the following content :
    This is the index.html page
  4. Create the file www/refus.html with the following contents /var/ :
    Access denied
  5. Create the directory/var/www/part1/and create the file index.html with the following content
    This is the /part1/index.html page
  6. Create the directory/var/www/part2/and create the file index.html with the following content
    This is the /part2/index.html page
  7. You now what to do the first tests

Restrict the access to certain IP

Nginx allows its configuration to filter the IP that will connect to the machine. The instructions to manage access rules are :

  • allow : allows the IP/network following to connect to the server
  • deny : refuses the network IP following to connect to the server

The values of these two parameters can be an IP v4, IP v6, a network mask or value CL. that opens or closes to all.

In our example, the IP cannot connect to the part /part1. and will be redirected to the page refus.html (Thanks to the statement error_page). Then authorizing the 192.168.1.x network, and finally everything is forbidden.

As soon as your IP matches a rule, the control applies without taking into account the following rules. This is what allows to exclude the IP network which is open.

The deny all to close the door to everything that was not opened in the previous rules. Not a bad idea if it does not wish to make a public site.

Restrict the access with login and password

If the management of the IP is not what need you, Another solution is the classic login with password. Here Nginx can do for you. No need to switch by the PHP.

For this you use the instructions as in our example in the block that you are interested :

      auth_basic "Please identify";


These instructions will display a message to the user who tries to access the directory part2.


The access control will be done by validating the data entered with the contents of the file in the parameter auth_basic_user_file, in our example the file /part2/vos_users. You should know that this file should not be in the protected directory but it must be accessible by the user www - data which is the one used by the Nginx Server. For example, you can secure it with :

chmod 640 /var/www/part2/vos_users
chown root:www - data/var/www/part2/vos_users

The contents of this file is a list of users that can connect with the associated password. The format is :


The password must be encoded with the crypt function. To add an entry, nothing easier ! You can run the following command to add the user pihome with the password raspi :

printf "pihome:$(OpenSSL passwd - crypt raspi)\n" >> /var/www/part2/vos_users


You can find info on this subject on this page.

And management of PHP ?

For what is PHP, simply put the block that made the link to php - fpm inside one that handles your protected directory. If you put it outside, direct access to a PHP page can run.

This is for the protection of your servers, to you the opening to the world, l’accès avec votre téléphone sans être trop inquiet 🙂

You may also like...