
SIMPLEST way to set up password protection for a static site?

I have a static site.

I would like the simplest approach to password protecting a directory, with a basic admin UI for adding/removing users. I will have so few users that I don't care about performance.

I don't care if it's PHP or Django or whatever, I just want a complete software package.

Is there a code package that implements authentication with basic admin for a static site?


  • I use nginx and this is usually my solution. Maybe something similar to this is available for Apache. Don't know.

    In nginx, proxy can return a response with header X-Accel-Redirect with the location to where nginx is suppose to redirect. For example with the following nginx config:

    server {
       location / {
           proxy_pass: ...;
       location /media/secure/ {
           alias ...;

    if the proxy pass will return:

    X-Accel-Redirect: /media/secure/somefile;

    Then nginx will redirect the request from the proxy to the /media/secure/ location, hence serving the static file.

    So I usually authenticate a user in Django and then just return that header with the location to the file which then nginx serves. This is nice because then Django does not have to serve static file, users can't just access that secure location (because of the internal directive) and also because if all mime types are configured in nginx, then all the files are served properly...

    Again, this is for nginx, not for Apache, but maybe something similar is out there for Apache.


    Here is a simple Django code snippet assuming you are using same settings as above for nginx. This view serves secure files if its path is provided in the GET:

    def serve_secure_static(request, file_root=os.path.join(settings.MEDIA_ROOT, 'secure')):
        if not request.method == 'GET':
            return HttpResponseBadRequest('Only GET allowed')
        if not 'file' in request.GET:
            return HttpResponseBadRequest('File query must be provided')
        # make sire loggen user is allowed to see the file
        # maybe check some custom permission
        file_path = request.GET['file']
        # if in DEBUG, make Django serve static file
        # because nginx might not be configured
        if settings.DEBUG:
            abs_file_path = os.path.join(file_root, file_path)
            file_data = open(abs_file_path, 'rb').read()
            return HttpResponse(file_data, mimetype=mimetypes.guess_type(file_path))
        # else make nginx serve static file
            redirect_url = '/%s' % file_path
            response = HttpResponse()
            response['X-Accel-Redirect'] = redirect_url
            return response

    So then if you add this view to urlconfig:

    url(r'^serve_secure_static/$', 'server_secure_static')

    you can request secure files by:

    which will serve the file from
