Does nginx auth_basic work over HTTPS?

Question

I've been trying to setup a password protected directory in a SSL website as follows:

/etc/nginx/sites-available/default

server {
    listen 443:
    ssl on;
    ssl_certificate /usr/certs/server.crt;
    ssl_certificate_key /usr/certs/server.key;

    server_name server1.example.com;

    root /var/www/example.com/htdocs/;
    index index.html;

    location /secure/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/example.com/.htpasswd;
    }
}

The problem is when I try to access the URL https://server1.example.com/secure/, I get a "404: Not Found" error page.

My error.log shows the following error:

011/11/26 03:09:06 [error] 10913#0: *1 no user/password was provided for basic authentication,
client: 192.168.0.24, server: server1.example.com, request: "GET /secure/ HTTP/1.1",
host: "server1.example.com"

However, I was able to setup password protected directories for a normal HTTP virtual host without any problems.

Is it a problem with the config or something else?

Answer 1

Possibly it's a path problem for auth_basic_user_file, where your absolute path is confusing nginx:

http://wiki.nginx.org/HttpAuthBasicModule#auth_basic_user_file

Since version 0.6.7 the filename path is relative to directory of nginx configuration file nginx.conf, but not to nginx prefix directory.

I'm not sure how you have it working in the other cases. The quote from the documentation suggests that you should have to have something like:

auth_basic_user_file htpasswd/www.example.com

where you'd have the password file as "/etc/nginx/htpasswd/www.example.com" if you have "/etc/nginx/nginx.conf" as your server configuration file.

You can check nginx configuration by running "sudo nginx -t". If there's a configuration error, i.e., the auth file is not where it expects it to be, it should tell you at that point.