Under Construction before Live

Any thoughts about how to completely hide a site while it’s under construction, but keep it accessible across the internet for the team that’s working on it?

WordPress has an Under Construction plugin with 100,000+ active installations…

I tried just uncommenting the HTTP basic auth parameters in Nginx, but newer versions of Safari never prompt you for basic auth credentials even when you’re connecting over HTTPS (at least if you directly enter the URL).

UPDATE: Turns out that HTTP Basic Auth is still alive and well in 2018 in all major browsers, and is probably the easiest way to keep your site invisible while you’ve got a team working on it. If you’re not getting prompted, clear the relevant part of your browser cache.

Setting up HTTP Basic Auth for Discourse

cd /var/discourse && sudo ./launcher enter app

echo -n 'your_username:' >> /etc/nginx/htpasswd
openssl passwd -apr1 >> /etc/nginx/htpasswd

vi /etc/nginx/conf.d/discourse.conf

# search for "location / {"
# and remove the comment from

     auth_basic on;
     auth_basic_user_file /etc/nginx/htpasswd;

# save and exit

# test configuration
sudo nginx -t
# Important: If nginx -t comes back with an error, correct the config before reloading!
sudo service nginx reload

# Don't ever do ./launcher rebuild app... 
# or else your new config changes will be gond...
# still trying to figure out how to fix that

If basic auth didn’t work [but it does!]

  • Digest Auth is possible to setup, but you’ve got to rebuild Nginx… Doing that inside a Docker container seems far from ideal…
  • Could setup a VPN, but for a few weeks of collaboration VPN is quite complex to setup on the server, plus clients need to be configured. Some networks filter certain VPN types (China). So you might get it setup and find it still doesn’t work.
  • Limited by each users IP isn’t practical as we don’t have static IPs for each user…

You can make the site any combination of:

  • Invite Only
  • Must Approve Users
  • Allow New Registrations
  • Login Required

But regardless of how you set those, you’re site name, logo, and color scheme are still going to be made public.

What do you folks recommend for making a site invisible while it’s in development? Just use BASIC AUTH!

Basic auth or IP address restrictions. I’d be surprised if Safari had dropped support for basic auth, so I lean towards you doing something wrong (like not specifying a realm or something) if Safari isn’t playing well.

1 Like

In development we use ‘require login’ and an SSO setup that only our developers can login to. Just make sure that you have admins on your other login provider before switching to live.

1 Like


Thank you for pointing that out… Apparently the nginx config for http basic auth was OK (it’s just two lines that discourse automatically puts in there with comments for you), but it turns out that Safari was caching something that prevented HTTP basic auth from working with my discourse site…

If you go into Safari -> Preferences -> Privacy -> Manage Website Data

Then search for your site and “Remove”…

After that, everything in Safari works fine with HTTP basic auth…