I have installed nginx on an Arch Linux VPS with Vultr. I intend to use it to serve files to myself and two colleagues. I have setup three accounts for us all with login names and passwords via the .htaccess and .htpasswd files. I will also be adding a certificate with let’s encrypt before the server will be used.
The data we will be sharing is commercially sensitive. Is there anything else I need to worry about? Is there anything else I can do to harden the server?
Personally, if correctly configured (and with a strong password), I treat this setup as more secure than anything more complex that I could assemble for myself.
It’s very easy to accidentally screw up the configuration. Nginx is generally reverse-proxying some other server; if that server is exposed in any other way than via Nginx, your security is gone.
If you ever transmit the password over http (rather than https) by accident, your security is gone.
If you are somehow treating the three accounts as separate within the underlying application, I wouldn’t trust the security of that part; I only use nginx with htpasswd to gate security of single-user apps.
If you’re just serving static files, it’s harder to mess up and most of these comments don’t apply.