How to add nginx http-basic-authentication for main panel access?

How to add nginx http-basic-authentication for main panel access?
I didn’t find any info on forum…

this is something you would need to handle manually. Hestia brings it’s own nginx (usr/local/hestia/nginx) for the panel itself, so you would need to add something to that config - however, afaik there is no general include rule for any custom file, so changes there probably get lost on the next update.

I’d suggest to proxy the panel through the regular nginx with a custom conf/template and add basic auth in there. this allows to get rid of the extra port as well (or better said to keep it internal).

1 Like

I tried to add config into nginx hestia config - but it not working… maybe I missed something …

probably… my crystal ball is out for maintenance though :wink: :wink:

2 Likes

I’m not sure what you’re trying to accomplish. If you just want to secure the login page and it’s only you who is accessing it (not clients), then you could try using SSH with tunneling. Supposing the panel listens at port8083, add a tunnel from local port (client) 8083 to remote port (Hestia server) localhost:8083 and then access the panel via https://localhost:8083 If that works well, then completely block port 8083 at Firewall level. That way the panel will not be world-accessible. Can’t be more secure than that :wink:

The browser will complain ofc about the certificate but that’s all right cause we know what we are doing.

Here is a screenshot of KiTTY on Windows doing just that:

I want to make authentication like in this post https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx .
It’s just add one encrypted file with user+password and when you will open website it ask you to enter those user+password from file and then you will see login form from hestia.

I understand what you want to do, but I don’t understand why you need to do it. What is the reason to have an authentication prompt (nginx) on top of an authentication page (Hestia login) ?

Its a matter of personal preference, but I quite often put Apache (or nginx) basic authentication on top of a login page, when I know only a small number of people are going to be using it.
My reasoning is that its a lot less load on the server to block at that stage, rather than letting an attacker load a PHP page, and run a POST on it, which will access the database etc. Much less resource intensive just to block at the Apache level. Maybe this doesn’t make a difference for a few login attempts per hour, but if you really get hit with a blast of logins, then it is the difference between your server staying up, and going down. Just my opinion … :slight_smile:

To answer the original question, I’d edit /usr/local/hestia/nginx/conf/nginx.conf and add the following lines, changing

    location / {
        expires off;
        index index.php;
    }

to

    location / {
        auth_basic "Restricted Content";
        auth_basic_user_file /path/to/hestia.passwd;
        expires off;
        index index.php;
    }

As mentioned above, you’d need to check this is still in place after each upgrade of hestia.