Basic Authentication and PHP files

I have a configuration block like this :

  location /members/ {
    index  main.php;
  }

  location ~ ^/members/(?:text1|text2|text3)/(?!noinclude)[^\/]+/ {
    auth_basic            "Restricted Area";
    auth_basic_user_file  /home/password/.htpasswd;
    rewrite ^\/(members\/[^\/]+\/[^\/]+)\/$ /gallery.php?path=$1&page=1
last;
    rewrite ^\/(members\/[^\/]+\/[^\/]+)\/page([0-9]+)\.php$
/gallery.php?path=$1&page=$2 last;
  }

        location ~ \.php$ {
                fastcgi_pass   127.0.0.1:9000;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME
$document_root$fastcgi_script_n$
                include fastcgi_params;
        }

The problem is that whenever I go to
http://mydomain.com/members/text1/anything/ or
http://mydomain.com/members/text1/anything/pageX.php, it correctly
displays the redirected page from gallery.php correctly, but it requires
no authentication. The images and other elements embedded on the page
from within the directory requires authentication, however.

I’m using v0.8.54.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,175467,175467#msg-175467

Hello!

On Tue, Feb 15, 2011 at 10:26:29AM -0500, Ellimist wrote:

rewrite ^\/(members\/[^\/]+\/[^\/]+)\/$ /gallery.php?path=$1&page=1
            include fastcgi_params;
    }

[/code]

The problem is that whenever I go to
http://mydomain.com/members/text1/anything/ or
http://mydomain.com/members/text1/anything/pageX.php, it correctly
displays the redirected page from gallery.php correctly, but it requires
no authentication. The images and other elements embedded on the page
from within the directory requires authentication, however.

Rewrite are executed before authentication, so you have to switch
on authentication in location where request is actually processed
(that is, rewritten one).

Additionally, /gallery.php is anyway unprotected with your config,
so it’s possible to request anything without authentication by
constructing appropriate url.

To resolve both issues it would be enough to add location for
gallery.php with auth_basic, i.e.

location = /gallery.php {
    auth_basic ...
    fastcgi_pass ...
    ...
}

Though you may want to rewrite your config to avoid rewrites
altogether to something like

location /members/ {
    auth_basic ...

    location ~ ^/(?<path>members/[^/]+/[^/]+)/$ {
        fastcgi_pass ...
        fastcgi_param  SCRIPT_FILENAME  $document_root/gallery.php;
        fastcgi_param  QUERY_STRING     path=$path&page=1;
        ...
    }

    location ~ 

^/(?members/[^/]+/[^/]+)/page(?[0-9]+).php$ {
fastcgi_pass …
fastcgi_param SCRIPT_FILENAME $document_root/gallery.php;
fastcgi_param QUERY_STRING path=$path&page=$page;

}
}

This aproach is believed to be much more maintainable than using
rewrites.

Maxim D.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs