Protecting some applications/paths with HTTP basic auth

Hi everyone,

I am experimenting with Yunohost to replace my own-grown server installation. I have a Wordpress blog which is currently available at:

https://mydomain.com/myblog

To reduce the attack surface, visitors first get basic HTTP authentication set up with Apache when they open the URL. Only visitors with the correct HTTP username and password can access Wordpress at all. Normal visitors do not have Wordpress accounts and use Wordpress anonymously. Authors and admins have accounts and log in into Wordpress in addition to the HTTP auth. Everyone (visitors, authors, admins) uses the same HTTP username and password.

I would like to have the same setup with Yunohost. I tried following options:

  • Install the HTTP Auth Plugin for Wordpress: HTTP Auth – WordPress plugin | WordPress.org It does not seem to be compatible with the Yunohost setup, I get authentication errors or 500 errors from nginx
  • Install the Password Protected plugin for Wordpress: Password Protected – WordPress plugin | WordPress.org It works and kind of does the job, but the protection is lower than with an HTTP auth: Wordpress itself and potential security flaws are accessible for anyone with the base URL, and Wordpress media files can be accessed directly without the password if their path is known

I am wondering if I can modify the nginx configuration created by Yunohost to add an HTTP auth for /myblog, but I fear that it will conflict with Yunohost own authentication mechanisms, like it was probably the case with the HTTP Auth Plugin for Wordpress.

So my question is: is it possible at all to protects some applications with an additional HTTP authentication using Yunohost?

Thanks!
Oliver

@oliv85559
i am not expert in nginx but i know nginx use some modular syntax as apache,
in that case nginx use htpasswd the same way.

instead i will explain to you how to do it with commands using ssl or apache utilities,

i wrote a tiny tool several years ago especially for these purposes,
you can download the tool from my personal server here:
https://ep.epnetwork.cf/enc/

once you load the page you will have two links i just set for you there, the first one is the tool itself,
you can create a bcrypt password with cost level 12 which is the highest in bcrypt encryption for your htpasswd file,

the second link is a gzip file you can download that program so you can use it at the future whenever you need,

how to implement:
go to your console
cd /
cd /etc/nginx
nano .htpasswd
and paste this =>

myusername:$2y$12$cDRThRg53ikSsN4AcaQRQ.KTfCDXx9B7eh1ZKvWyLCkr9UJTw5nCS

save and close
note: the username as you see is “myusername”, change it accordingly,
the password is 1234, don’t change it till you test if its working, or set your own password with my tool,

activate the passwd:
/etc/nginx/conf.d

nano “your wordpress domain” / “website”

add these lines on “location”:
auth_basic “WHATEVER USER INFORMED MESSAGE”;
auth_basic_user_file /etc/nginx/.htpasswd;

change => WHATEVER USER INFORMED MESSAGE
to something you like the browser will tell the user.

its should be something like this:

location / {
    return 301 https://$http_host$request_uri;
    auth_basic "WHATEVER USER INFORMED MESSAGE";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

save, and test

if it doesnt works try to reload nginx

sudo systemctl reload nginx

if its still doesn’t works reboot your server,

if its still doesn’t works tell me i will try to help you and will make sure you have done everything right,

in any case please tell me right away when you done downloading, cause i did open all of my firewalls so you can reach the page,

good luck

Hi @izakis,

thanks for your message! I do not really need help setting up an HTTP auth for nginx, my question is more how to do this the “Yunohost” way and/or without causing interference with it.

Well seriously i have no idea,

i am not sure if yunohost have any option to make such thing and as you i want now also to know how to do it,

cause i just test it and it doesn’t works for me,
that is the way to do it and its works well in my other servers but in yunohost it doesn’t

so now i am with you at the same question

Thank you anyway! I hope that someone knowledgeable will come to the rescue :slight_smile:

yeah me too,

@tituspijean
@Aleks
@tierce

anyone can help us please?

I use WPS Hide Login – Extension WordPress | WordPress.org Français on WPs.

It’s done on the WP side, no need to touch nginx conf.

Can chose anything you want as /boss /myloginpage /notwelcomehere or anything you want.

And I also use Captcha – WordPress plugin | WordPress.org because it’s funny.

Hope this helps…

Thank you @tierce . The “WPS Hide Login” plugin is similar to “HTTP Auth” in the sense that it is a Wordpress-based solution. The idea is to use the HTTP server as an additional line of defense. It is not only additional, but also much more robust. The probability that ngnix or Apache have a flaw in HTTP basic auth for a whole subdirectory is much lower than Wordpress with its huge PHP code base, plugins and files that are directly accessible once the URL is known.

thank you @tierce

the question is how can we use the standard htpasswd for authentication on yunohost, on the server level will be helpful,

I did test the usual way yesterday and it didn’t work, moreover I got a message on the diagnosis page that the “x.conf” file being modified,

any hint will be appreciated,

Hi,

Authors and admins have accounts and log in into Wordpress in addition to the HTTP auth. Everyone (visitors, authors, admins) uses the same HTTP username and password.

Have you already tried to simply create a single yunohost user and “hide” wordpress for non-users ?
That would be done in yunohost webadmin (Users > Groups and permissions, or directly here : yourdomain.tld/yunohost/admin/#/groups). Be sure to put the Wordpress tile in “All users” and not in “Visitors”. Or just for the specific single user you’ll have to create.

Hi @jeremy1, sorry for the long delay, I do not have much time to work on this currently. But thank you for the hint, it sounds like an interesting idea, I will try it out soon.