Am I going crazy? Mixing auth and PHP

mike · June 3, 2008, 2:22am

http://foo.com/reports/ - prompts for auth like it should
http://foo.com/reports/report.php - bypasses http auth

the .php is being matched and the other location is ignored completely?

    server {
            listen 80;
            server_name foo.com;
            index index.php index.html;
            root /home/foo/web/foo.com/;
            location /reports {
                auth_basic "Reports";
                auth_basic_user_file

/home/foo/web/foo.com/.htpasswd;
}
location ~ .php {
fastcgi_pass 127.0.0.1:11019;
fastcgi_index index.php;
}
}

Anything wrong here?

How can I get auth working for the whole /reports dir? I tried even
putting in the exact /reports/report.php URL in a location block, a
regexp ^/reports etc…

mike · June 3, 2008, 9:32am

Hi,

This behavior is explained in
http://wiki.codemongers.com/NginxHttpCoreModule#location

Only the PHP location is matched by /reports/report.php

the solution may be to use nested locations (but this is an unstable
feature), or adding a specific location that matches something like
^/reports.*.php$

mike a Ã©crit :

mike · June 3, 2008, 9:45am

ack this is going to be tricky

i could secure /admin/ but if someone hit a script /admin/foo.php they
could directly without credentials…

mike · June 3, 2008, 10:55am

I didn’t try it but I guess something like the following should work:

location /reports {
auth_basic “Reports”;
auth_basic_user_file /home/foo/web/foo.com/.htpasswd;
rewrite (.*).php$ /php/$1.php last;
}

location ~ /php/.*.php {
internal;
fastcgi_pass 127.0.0.1:11019;
fastcgi_index index.php;

you’ll need to strip the added prefix is you set any fastcgi_param

}

mike · June 10, 2008, 8:46pm

I’m going to go ahead and repost this and ask Igor about it since he’s
back.

Igor - this is coming up now more often, I need a way to secure a full
path like /admin/ and still secure the php files underneath. Right now
if it matches the .php it forwards it on to fastcgi and skips the auth
step.

Is there a “smart” way to do this, or perhaps a quick patch? My only
option so far is to try to chain some rewrite rules so it passes auth
first then goes to the PHP stuff (like this pseudo code from Denis):

location /reports {
auth_basic “Reports”;
auth_basic_user_file /home/foo/web/foo.com/.htpasswd;

rewrite (.*).php$ /php/$1.php last;
}

location ~ /php/.*.php {
internal;
fastcgi_pass 127.0.0.1:11019;
fastcgi_index index.php;
}

Is there anything better right now? Any way to process both? (This
might require nested location blocks… I don’t know)

Thanks a ton. This is one annoyance that’s hitting me on a couple of
my nginx installs. Otherwise it’s been the best webserver I’ve used!