Auth_basic not requiring Authorization

dubstep · July 1, 2011, 5:58pm

Having a huge problem with the auth_basic. Despite putting in the exact
same lines as what I found in many examples, the web server is still
allowing access even without sending any authorization.
Relevent conf bits:

server {
listen 80;
server_name my.servers.name.com;
log_format fullCombined '$remote_addr - $http_x_forwarded_for
$remote_user [$time_local] ’
'“$request” $http_content_length $status
$body_bytes_sent ’
‘“$http_referer” “$http_user_agent”’;
access_log /var/log/nginx/access.log fullCombined;
error_log /var/log/nginx/error.log;

root /var/www/current/pub;

client_body_buffer_size 1024k;

Default location

location / {
    index  index.php;

    auth_basic "Ingester";
    auth_basic_user_file .htpasswd;

    rewrite ^index.php(.*)$ /index.php?/$1 last;
    if (!-f $request_filename) {
            rewrite ^/(.*)$ /index.php?/$1 last;
            break;
    }

}

Parse all .php file in the /var/www directory

location ~ .php$ {
    fastcgi_pass   backend;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME

$document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}

Disable viewing .htaccess & .htpassword

location ~ /\.ht {
    deny  all;
}

}

Thanks in advance,
Brian

Posted at Nginx Forum:

bindsocket · July 1, 2011, 6:18pm

Hello!

On Fri, Jul 01, 2011 at 11:58:08AM -0400, bindsocket wrote:

Having a huge problem with the auth_basic. Despite putting in the exact
same lines as what I found in many examples, the web server is still
allowing access even without sending any authorization.
Relevent conf bits:

server {
listen 80;

[…]

Default location

location / {
    index  index.php;

    auth_basic "Ingester";
    auth_basic_user_file .htpasswd;

You have auth_basic in your “location /”, so everything that ends
up here will be protected.

[…]

Parse all .php file in the /var/www directory
location ~ .php$ {
    fastcgi_pass   backend;

But you don’t have auth_basic in “location ~ .php$” (btw, you
missed “” before “.”), and anything here won’t be protected.

You have to move auth_basic to server{} level to protect
everything (or add it to all relevant locations if you have some
which doesn’t need protection).

Maxim D.

bindsocket · July 1, 2011, 6:20pm

On 7/1/11 11:58 AM, bindsocket wrote:

                        '"$request" $http_content_length $status
location / {

    fastcgi_param  CONTENT_TYPE     $content_type;
}

The above location block is outside the location block that handles PHP
scripts.

You may try

Default location

location / {
    index  index.php;

    auth_basic "Ingester";
    auth_basic_user_file .htpasswd;

    rewrite ^index.php(.*)$ /index.php?/$1 last;
    if (!-f $request_filename) {
            rewrite ^/(.*)$ /index.php?/$1 last;
            break;
    }

location ~ .php {
fastcgi pass backend;
…
}

Not also that this is an inefficient setup using “if”. See
If is Evil… when used in location context | NGINX. A “try_files” expression would be more
efficient.

Something like

server {

…

location / {
index index.php;

    auth_basic "Ingester";
    auth_basic_user_file .htpasswd;

    rewrite ^index.php(.*)$ /index.php?/$1 last;
    try_files $uri $uri/ @rfallback;

location ~ .php {
fastcgi pass backend;
…
}

}

location @fallback {

rewrite ^/(.*)$ /index.php?/$1 last;
}

...

}

Posted at Nginx Forum:
auth_basic not requiring Authorization

nginx mailing list
[email protected]
nginx Info Page

–
Jim O.

bindsocket · July 5, 2011, 7:49pm

Thanks everyone for the help and also for actually showing me how the
whole location thing is processed. Also, I had read the IfIsEvil post
and had it on my list of things to fix but never got far enough up the
priority scale to actually do. Now, thanks to you guys I do not have to
worry about that anymore.

Incidentally, I haven’t looked very hard but I do not see a way to do
same thing I know how to do in Apache where only certain users are
allowed access to certain directories. Being able to do this would
simply the next step in tweaking the config file.

Thanks,
Brian

Posted at Nginx Forum:

bindsocket · July 1, 2011, 8:28pm

On Jul 1, 2011, at 19:58 , bindsocket wrote:

                       '"$request" $http_content_length $status
location / {
   fastcgi_param  CONTENT_TYPE     $content_type;
}

Disable viewing .htaccess & .htpassword

location ~ /.ht {
deny all;
}
}

location / {
index index.php;

   auth_basic "Ingester";
   auth_basic_user_file .htpasswd;

   try_files  $uri  /index.php?$uri;

   location ~ ^/index.php(/.*)$ {
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME   $document_root$index.php;
       include /etc/nginx/fastcgi_params;
       fastcgi_param  QUERY_STRING     $1;
       ...
   }

   location ~ \.php$ {
       fastcgi_pass   backend;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME

$document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
…
}

}

Disable viewing .htaccess & .htpassword

location ~ /.ht {
deny all;
}
}

–
Igor S.
http://sysoev.ru/en/