Having a huge problem with the auth_basic. Despite putting in the exact
same lines as what I found in many examples, the web server is still
allowing access even without sending any authorization.
Relevent conf bits:
server {
listen 80;
server_name my.servers.name.com;
log_format fullCombined '$remote_addr - $http_x_forwarded_for
$remote_user [$time_local] ’
'“$request” $http_content_length $status
$body_bytes_sent ’
‘“$http_referer” “$http_user_agent”’;
access_log /var/log/nginx/access.log fullCombined;
error_log /var/log/nginx/error.log;
root /var/www/current/pub;
client_body_buffer_size 1024k;
Default location
location / {
index index.php;
auth_basic "Ingester";
auth_basic_user_file .htpasswd;
rewrite ^index.php(.*)$ /index.php?/$1 last;
if (!-f $request_filename) {
rewrite ^/(.*)$ /index.php?/$1 last;
break;
}
}
Parse all .php file in the /var/www directory
location ~ .php$ {
fastcgi_pass backend;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
Disable viewing .htaccess & .htpassword
location ~ /\.ht {
deny all;
}
}
Thanks in advance,
Brian
Posted at Nginx Forum:
Hello!
On Fri, Jul 01, 2011 at 11:58:08AM -0400, bindsocket wrote:
Having a huge problem with the auth_basic. Despite putting in the exact
same lines as what I found in many examples, the web server is still
allowing access even without sending any authorization.
Relevent conf bits:
server {
listen 80;
[…]
Default location
location / {
index index.php;
auth_basic "Ingester";
auth_basic_user_file .htpasswd;
You have auth_basic in your “location /”, so everything that ends
up here will be protected.
[…]
Parse all .php file in the /var/www directory
location ~ .php$ {
fastcgi_pass backend;
But you don’t have auth_basic in “location ~ .php$” (btw, you
missed “” before “.”), and anything here won’t be protected.
You have to move auth_basic to server{} level to protect
everything (or add it to all relevant locations if you have some
which doesn’t need protection).
Maxim D.
On 7/1/11 11:58 AM, bindsocket wrote:
'"$request" $http_content_length $status
location / {
fastcgi_param CONTENT_TYPE $content_type;
}
The above location block is outside the location block that handles PHP
scripts.
You may try
Default location
location / {
index index.php;
auth_basic "Ingester";
auth_basic_user_file .htpasswd;
rewrite ^index.php(.*)$ /index.php?/$1 last;
if (!-f $request_filename) {
rewrite ^/(.*)$ /index.php?/$1 last;
break;
}
location ~ .php {
fastcgi pass backend;
…
}
}
Not also that this is an inefficient setup using “if”. See
If is Evil… when used in location context | NGINX. A “try_files” expression would be more
efficient.
Something like
server {
…
location / {
index index.php;
auth_basic "Ingester";
auth_basic_user_file .htpasswd;
rewrite ^index.php(.*)$ /index.php?/$1 last;
try_files $uri $uri/ @rfallback;
location ~ .php {
fastcgi pass backend;
…
}
}
location @fallback {
rewrite ^/(.*)$ /index.php?/$1 last;
}
...
}
Posted at Nginx Forum:
auth_basic not requiring Authorization
nginx mailing list
[email protected]
nginx Info Page
–
Jim O.
Thanks everyone for the help and also for actually showing me how the
whole location thing is processed. Also, I had read the IfIsEvil post
and had it on my list of things to fix but never got far enough up the
priority scale to actually do. Now, thanks to you guys I do not have to
worry about that anymore.
Incidentally, I haven’t looked very hard but I do not see a way to do
same thing I know how to do in Apache where only certain users are
allowed access to certain directories. Being able to do this would
simply the next step in tweaking the config file.
Thanks,
Brian
Posted at Nginx Forum:
On Jul 1, 2011, at 19:58 , bindsocket wrote:
'"$request" $http_content_length $status
location / {
fastcgi_param CONTENT_TYPE $content_type;
}
Disable viewing .htaccess & .htpassword
location ~ /.ht {
deny all;
}
}
location / {
index index.php;
auth_basic "Ingester";
auth_basic_user_file .htpasswd;
try_files $uri /index.php?$uri;
location ~ ^/index.php(/.*)$ {
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $1;
...
}
location ~ \.php$ {
fastcgi_pass backend;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
…
}
}
Disable viewing .htaccess & .htpassword
location ~ /.ht {
deny all;
}
}
–
Igor S.
http://sysoev.ru/en/