Authenticated session downloads auth_basic protected php files

Hi I’m a nginx newbie, but I think I’m experiencing something seriously
strange. I’m not sure I can reproduce the steps needed, but the thing is
that I ended up nginx downloading protected php files from the site!

Step 1. make a normal site with say one php file
Step 2. make a auth_basic protected folder on it
Step 3. authenticate yourself in Google Chrome (maybe it works in others
Step 4. now modify the config such that a php file what wasn’t protected
before is protected now, reload
Step 5. now if you load the new php file in Chrome, instead of asking
the authenticate dialog, or parsing the file properly, it downloads it!
mean the pure PHP file with all it’s code and plaintext content inside

I’m not sure that the above steps are the precise steps required to
reproduce the bug, but I’ve repeatedly ended up downloading php files
the server. Closing Chrome and cleaning the cache fixed it.

Posted at Nginx Forum:,231253,231253#msg-231253

OK, I think my case is much simpler. Having

location = /something.php {
auth_basic “Restricted”;
auth_basic_user_file …;


location ~ .php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/home/kek/http/private/php.socket;
include fastcgi_params;
try_files $uri =404;

Stops at the first step. Is there any way to password protect a single
file AND keep parsing it as php? Or should I copy and paste those lines
the first one?

Posted at Nginx Forum:,231253,231254#msg-231254