I have a ISPconfig host with NGINX only and no Apache, which did give me some issues that seem to be overlooked. When making a protected folder and protected folder user, the .htaccess is owned by webx:clientx while it is being read by www-data. Fixed by adding www-data to clientx group, which is no problem for me, but i guess when you have more then one client it won't really be a solution, because then you want to keep them separated. On top of that, the .htaccess is created using SHA-512 crypt, not MD5. Nginx does not support SHA-512 out of the box. Also, within the NGINX conf for the vhost, ISPconfig adds a location block within a location block when adding a protected folder, which is not normal practice. Also subdirectories like /stats, give a 500 as a result because there even isn't a .htpasswd in there. I also wonder why ISPconfig likes the .htpasswd files to be in the directory it is protecting, and not store those outside the web accessible path.
Password protection for folders works fine here with Nginx on Ubuntu and Debian, standard ISPConfig installation. The password for the stats folders gets added when the first stats get generated. If you don't like how ISPConfig works, then don't use it.
Just a guess, you probably installed a third-party Nginx package and not the one from the Linux distribution. Doing so must break your setup, as e.g., nginx packages from nginx.org are incompatible and therefore not supported.
Don't understand me wrong please, I love ISPconfig! Used it for years, just changed to NGINX only setup which gives me this problem. I am just trying to find out why it wont work like this for me. You just confirmed for me that it should work, so I will find out what's wrong for me. Thank you for your time checking. I did install on a clean ubuntu 24.4LTS, all services were installed by ISPconfig install. I guess my problem has more to do with imported site from my old host, as a new added domain does work with protected folder as intended.
The permission and owner of the .htpasswd file is fine, as the www-data user is a member of each client group, so that nginx can read the file through the group permission. I can only recommend using the auto installer to install the system and do not replace packages, then this works out of the box.
Found it. When I imported the site data, the error sub folder was overwritten, should have excluded that. Also should have added a new domain to check as the first action, but instead did go on a goose chase. Thanks a lot again!
