Restriction of the access with the help of Nginx

In this short post the point is how to protect your files and some part of your web site with a user password. With Nginx, a lot of options exist to protect your site with usernames and passwords. In Nginx the solution is not less attractive than in apache.

In the configuration file, set folder to close, it is only necessary to load the file with passwords.
There are two examples for closing of the folder with files:

        location ^~ /files/ {
            root   /path/to/server;
            autoindex    on;
            autoindex_exact_size  off;
            auth_basic "Hello, please login";
            auth_basic_user_file /usr/nginx/passwords;
            access_log   /usr/nginx/logs/files.log   download;
        }

and for closing of the admin-folder with the additional restriction on IP:

        location ^~ /admin/ {
            fastcgi_pass unix:/home/project/server.sock;
            include  conf/fastcgi.conf;
            allow 11.11.0.0/16;
            allow 22.22.22.22;
            deny all;
            auth_basic "Hello, Admin, please login";
            auth_basic_user_file /usr/nginx/adminpassword;
            access_log   /usr/nginx/logs/admin.log  main;
        }

The passwd program utility of Apache can be used to create and update usernames and passwords of new users:

htpasswd -b passwords NewUser NewPassword

In the file the writing with the encoded password looks like:

NewUser:P47ghZ4kloG78: Your Can Comment Here

The protection from cracking the password can be organized at the same time with two methods based on the use iptables:

• Blocking IP temporarily if the amount of the requests per second exceeds any reasonable amount.
• Write failed attempts in the log, check it with the script every minute, than pumps the IP addresses in iptables

For the first variant it is enough to create rules:

iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW
            -m recent --name bhttp --set
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -m state --state NEW
            -m recent --name bhttp --update --seconds 120 
            --hitcount 360 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -i eth0 -j ACCEPT

It is possible to use TARPIT instead of DROP to complicate the life of the crackers.

For the second variant it is necessary to add in config:

        location /401.html {
            root   /usr/nginx;
            access_log   /usr/nginx/logs/denied.log  error401;
        }

For example the format error 401 looks at me:

log_format error401  '$remote_addr - $remote_user [$time_local] '
                     '$status "$request"';

Now all wrong logins are saved in a separate log file, which is checked per cron job:

*/1 * * * * root /usr/nginx/parser401.pl >/dev/null 2>&1

For example this script: parser401.pl Скрипт проверяет лог, и если обнаруживает больше 4-х попыток неправильного набора пароля, блокирует этот IP. Script checks the log file and if it finds more than 4 attempts of the wrong password, it blocks this IP address.


NginxModules : http://wiki.nginx.org/NginxModules