PHP - Secure your app with HTTP Basic Auth

Introduction

Our PHP deployment stack is using Nginx and PHP-fpm to answer your application request. If you want to setup basic auth in front of your app or a part of your app, there are two ways to do it.

Either you implement this in your application, here is an example with Symfony2, or you have to configure the authentication before your application reaches the PHP code.

This article deals with this second case, to configure the HTTP basic auth independantly from your app.

Configuration

Nginx configuration

Create a directory config in your project:

mkdir config

Edit the file nginx-basic-auth.conf in this directory with the following content:

For the complete website:

auth_basic           "Protected Site";
auth_basic_user_file "/app/config/htpasswd";

Part of a website, here everything under /wp-admin:

location ~ /wp-admin {
  auth_basic           "Protected Site";
  auth_basic_user_file "/app/config/htpasswd";
}

Create the config/htpasswd file with the couples user/encrypted password using the following command:

htpasswd -c config/htpasswd username

# Then a prompt will ask for the password

That’s it with those two files, nginx will be able to ask for basic authentication, the last thing you have to do is to instruct Scalingo’s deployment process to use your configuration file.

Deployment process configuration

This process requires you to edit the composer.json file of your project. Edit the file the following way:

{
  ...
  "extra": {
    "paas": {
      "nginx-includes": ["config/nginx-basic-auth.conf"]
    }
  }
}

If you are not using composer, create a composer.json file with the previous content, and also create a file composer.lock containing an empty JSON string {}

Tip: You can find more information about extra configuration in the PHP support page.

Redeploy your app

git add config/nginx-basic-auth.conf config/htpasswd composer.json
git commit -m "setup basic auth"
git push scalingo master

That’s it basic auth will be asked when connecting to the website.

schedule 24 Jun 2016