Password protect pages by hashed permalink


#1

I am trying to achieve password protection for my Jekyll site, that is being build by a self-hosted GitLab Pages CI using Password protection for static pages.

The documentation said to add a directory with the hash of the password and put everything you want to protect in there. This is not a clean solution imho, so I am trying to solve it in a different way.

So I put the that provided index.html in the root of my pages project, but chanded the file name in this line to /private.html. In the front matter of another file private.md that is also in the root of the project, I added:

permalink: 3da541558918a808c2402bba5012f6c60b27661c/private.html

and after entering the correct password, voila that page is shown.

Side note: the site is in a subdirectory, so _config.yml also contains

baseurl: "/private"

Now here is the problem: instead of adding the permalink directive to all the pages that I want to protect, which are all but index.html, I tried to add that directive to _config.yml like this:

permalink: "/private/3da541558918a808c2402bba5012f6c60b27661c/:title:output_ext"

This does not do anything, though. Other pages, that do not have the permalink directive in their front matter are accessible via their regular url and thus not protected. I also tried this without the /private/ part, but no difference.

So what’s wrong witht that? How can I achieve not to have to add the permalink directive to all the pages’ front matter? Any ideas?


#2

did you restart jekyll? config changes don’t trigger a rebuild, easy to forget.

is there a repo to look at?

Pretty much secure lol. I guess that depends on what secure means. Security thru obscurity I suppose.


#3

yes I did.

I made one here: https://github.com/mcnesium/private-page-test the according password for the hash is asdf

Sure that, if you guess the hash and the name of the page, or get the link by insiders, then you’re in. But this is also true, if you get to know the password.

This is just to prevent too curious visitors, not a banking app.


#4

yeah it looks like there is something wrong there - I cannot get pages to follow the permalink style in the config file as far as a plain text path is concerned - so with permalink: "/tester/:title/" posts will go into a tester directory but pages will not. I’m not sure if this is by design or not.

The /:title part does seem to work for pages, just not the custom directory name.

One work around would be that Jekyll will respect the folder name your pages are in, so you could make a folder named private/3da541558918a808c2402bba5012f6c60b27661c and put all the protected files in there and it should work - with no need to have the permalink in each file.

As far as security, it is an interesting idea to obscure stuff.