Password Protecting Directories With Nginx

Nginx-logo The first thing you will need to do is create a file called .htpasswd (it doesn’t have to be named that way). The following command creates a new .htpasswd file and stores a record in it for user tom.

htpasswd -bc /var/www/ tom password

To create another user:

htpasswd -b /var/www/ john password

If you get a “command not found” error you probably don’t have apache2-utils installed.
.htpasswd should be placed above your www root directory or in another non-web accessible directory.

Next edit your site’s configuration file by adding the following lines of code inside the server-block:

location ^~ /secretdirectory/ {
    auth_basic            "Restricted";
    auth_basic_user_file  /var/www/;

    location ~ \.php {
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;

Restart nginx for the configuration changes to take effect

/etc/init.d/nginx restart

Finally test if everything is working correctly. Go to and you should be prompted for your username and password.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

14 thoughts on “Password Protecting Directories With Nginx”

  1. Hello Everybody,

    I need some help …
    Currently I am allowing authentication to the /administrator folder by (and this working fine for me):

    location /administrator {

    index index.html index.php;
    auth_basic “Members Only”;
    auth_basic_user_file ;

    However, the problem with that is if a user installs say Joomla in a subfolder within root eg

    /joomla/ then that setting does not take effect.

    I would like to take effect to any administrator folder accessed via the web regardless of the folder level .


    and etc ..

    ALL those should be authenticated based on my .htaccess file defined above.

    Please advice me on how I can modify the above directive to support that …

  2. Was looking for this as most other sites leave off the fact you need the nested location block for PHP files. Thanks a bunch!

  3. Hello,
    I’m a newbie at setting up the servers but I am trying to password the root directory of a development server so that anyone who tries to access the site has to use a password.
    I keep getting a 403 forbidden error when trying to access the /secretdirectory/ folder. I created a info.php file to test and have the same results.

    I have two questions.

    1. Where is the .htpasswd file stored for each user?
    2. What do I need to change in the code to protect the root directory?

    I appreciate the help.


    • 1. If you used the same htpasswd command from the article (htpasswd -bc /var/www/ then the file is located in /var/www/

      2. You should check your domain log files and see why you are getting 403 forbidden. 403 Forbidden is technically not an error but a HTTP status code. 403 response headers are intentionally returned in many cases such as –
      User is blocked from requesting that page/resource or the site as a whole.
      User tries to access a directory but autoindex is set to off.
      User tries to access a file that can be only accessed internally.
      Also, what code are you referring to?

  4. So I setup the server on CentOS 7 and followed a guide on installing Nginx. Since the default nginx html folder is in ‘/usr/share/nginx/html’ I created the .htpasswd file there but I am not seeing it via SSH nor FileZilla.

    The code I was referring to is the code that goes in the sites configuration file, which if I placed it correctly, goes in ‘/etc/nginx/conf.d/default.conf’

    • The file should be there if you used the command with the -c argument which creates the file in the given path.

      You should put the code inside your domain server-block.

      • Hmm. This is the output I get.
        [user@localhost ~]$ cd /usr/share/nginx/html
        [user@localhost html]$ ls
        50x.html cordaroys index.html info.php secretdirectory test
        [user@localhost html]$ htpasswd -bc /usr/share/nginx/html/.htpasswd User1 Enter
        Adding password for user User1
        [user@localhost html]$ ls
        50x.html cordaroys index.html info.php secretdirectory test

        So I gather it’s not creating the file and that’s probably the cause of my problem. Tried sudo as well.

  5. Any file that starts with a dot character is treated as hidden. The ls command does not display them unless the -a flag (ls -a) is used.
    Use ‘ls -a’ to list hidden files.

  6. Hello,
    Thanks for the tutorial but i have a problem
    When i enter domain . com/admin/ is asking me for a password (so far so good)
    When i enter domain . com/admin/admin.php you can enter with no password!

    Anyone ? please?

    • Please check for more information about the ngx_http_auth_basic_module module.



Leave a Comment

To prove you are human please solve the following *