Forum: NGINX HT Auth Problem

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
matt91 (Guest)
on 2009-06-06 17:16
(Received via mailing list)
I am having a problem with HT Auth where it will protect the directory
and all files in it except the php files, I think this is a problem with
nginx passing all php files for processing by fcgi before the
authentication. For example mysite.com/imnottelling/ and
mysite.com/imnottelling/hello.html is protected however
mysite.com/imnottelling/anything.php is not. Here is my virtual host
config file for the domain:

server {
  listen   81;

  server_name tributes-direct.co.uk www.tributes-direct.co.uk
*.tributes-direct.co.uk;

  access_log  /var/log/nginx/localhost.access.log;

  rewrite ^/adamcarter$
/tributedetails.php?name=elvis_adam_carter&page=1 break;
  rewrite ^/bg_sound_([^_]*)\.xspf$
/includes/bg_audio_player/bg_sound.php?tributeid=$1 break;
  rewrite ^/adamcarter$
/tributedetails.php?name=elvis_adam_carter&page=1 break;
  rewrite ^/elvis$ /tributeindex.php?artiste=elvis break;
  rewrite ^/_([^/]*)$ /tributedetails.php?name=$1 break;
  rewrite ^/_(.*)/page/(.*)$ /tributedetails.php?name=$1&page=$2 break;
  rewrite ^/_(.*)/art/(.*)$ /tributedetails.php?name=$1&artisteid=$2
break;
  rewrite ^/_(.*)/cat/(.*)$ /tributedetails.php?name=$1&cat=$2 break;

  location / {
    root   /var/www/tributes-direct.co.uk;
    index  index.php index.html index.htm;
  }
  location  /imnottelling/*  {
    root   /var/www/tributes-direct.co.uk;
    index  index.php index.html index.htm;
    auth_basic            "Restricted";
    auth_basic_user_file
/var/www/tributes-direct.co.uk/imnottelling/.htpasswd;
  }

  #error_page  404  /var/www/err/404.html;

  # redirect server error pages to the static page /50x.html
  #
  #error_page   500 502 503 504  /50x.html;
  #location = /50x.html {
  #  root   /var/www/err;
  #}

  location ~ \.php$ {
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME
/var/www/tributes-direct.co.uk/$fastcgi_script_name;
    include fastcgi_params;
  }

  serve static files directly
  location ~ .(jpg|jpeg|gif|css|png|js|ico)$ {
    access_log        off;
    expires           30d;
  }

  # protect htaccess
  location ~ /\. {
        deny  all;
  }
}



And yep, I know the .htpasswd is in an accessible location ;-)

Thank you for your help.

 Matt

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,2667,2667#msg-2667
matt91 (Guest)
on 2009-06-06 19:22
(Received via mailing list)
Just to note "serve static files directly" is now commented out, this
was not the cause of the problem though.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,2667,2671#msg-2671
Rob S. (Guest)
on 2009-06-06 19:57
(Received via mailing list)
You have to use a nested location like
location /imnottelling {
           auth_basic "Restricted";
           auth_basic_user_file /var/www/tributes-direct.co.uk/
imnottelling/.htpasswd;
           location ~ .*\.php$ {
                    fastcgi_pass   127.0.0.1:9000;
                    fastcgi_index   index.php;
       fastcgi_param  SCRIPT_FILENAME  /var/www/tributes-direct.co.uk/
imnottelling/$fastcgi_script_name;
                    include fastcgi_params;
            }
}

Igor has warned that nested locations has bugs in inheritance but that
this one will work correctly.
http://marc.info/?l=nginx&m=124301482813284&w=2

Also a note its easier if you use
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
in your fastcgi_params. Then if you have your root's set right and
redefined it will properly fill the correct SCRIPT_FILENAME without
you having to do it in each of your php blocks if you have multiple of
them. Just 1 less thing that is needed to be redefined.

Rob
merlin corey (Guest)
on 2009-06-08 14:23
(Received via mailing list)
The problem is clear and you have no need of nested locations (though
that is one possible solution and hints at the issue).  Observe:

       location ~ \.php$ {
               fastcgi_pass   127.0.0.1:9000;
               fastcgi_index  index.php;
               fastcgi_param  SCRIPT_FILENAME
/var/www/tributes-direct.co.uk/$fastcgi_script_name;
               include fastcgi_params;
       }

This regular expression indeed covers all PHP files.  There is no auth
here, so it does not ask for auth, only for the resources that ARE
under a location with auth.  You can try a nested location, or you can
add a second more specific php handling location block that also has
auth in it, or you can make an internal location for PHP and pass back
to it for the regular expressions.  The middle method is most
straightforward (and not demonstrated yet) and might be implemented
like so:

       location ~ ^/protectedstuff/.*\.php$ {
               auth_basic "Enter Credentials";
               auth_basic_user_file /path/to/auth;
               fastcgi_pass   127.0.0.1:9000;
               fastcgi_index  index.php;
               fastcgi_param  SCRIPT_FILENAME
/var/www/tributes-direct.co.uk/$fastcgi_script_name;
               include fastcgi_params;
       }
This topic is locked and can not be replied to.