Search code examples
nginxserverstatic-content

Nginx serve static content behind authenticated page


I have created a directory call library, that requires authentication to access. Upon completing authentication I would like to list all files in library for the user. I have tried autoindex to no avail, and most material I am finding doesn't cover whether or not the authentication will affect anything.

Would appreciate any help, thanks.

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /usr/share/nginx/html;
    index index.html index.htm index.php;

    # Make site accessible from http://localhost/
    server_name localhost;

    location / {
            # First attempt to serve request as file, then as
            # directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # Uncomment to enable naxsi on this location include
            # /etc/nginx/naxsi.rules
    }

    location /website {

    }

    location /library {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

Solution

  • Your location /library block will impose the requirement of basic authentication and serve the same static files in /usr/share/nginx/html/library to all users who can successfully authenticate. In short, all users who successfully auth will see the same files in your current config.

    To serve different static files to different users, consider that Basic authentication will set the $remote_user variable (see docs) which you can utilise to make your configuration dynamic.

    For instance, if you wanted to serve a different folder for each user ID (at the same /library URL), you'd use a block like:

    location /library {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
        alias /usr/share/nginx/html/$remote_user/;
    }
    

    assuming your folders are named with the ID of your users and located at that path.

    If a user fails the basic auth, they'll be shown a 403 Forbidden error, which you can handle using the error_page directive to show something more useful than just a basic error. Likewise, if a user can successfully auth and a corresponding folder doesn't exist, they'll see a 404, which you could again handle with an error_page directive.