Hello,

I would like to ask for some help.

1. Does Nginx support SHA encryption for the basic web authentication?
   When I use -s switch with htpasswd command I can’t log in. It works with
   MD5 however it looks like MD5 has some character length limitation as
   only the first eight characters are significant.

2. I have Joomla install running on Nginx. I enabled SEO URLs with
   rewrite rule:

• try_files $uri $uri/ /index.php?q=$request_uri;
  I’m facing the following issue:
  Joomla has build in error pages. I’ve tested and I appended some random
  characters within the URL:
  a) mywebsite.com is available for purchase - Sedo.com - and it shows Joomla error page which is
  fine - same for mywebsite.com is available for purchase - Sedo.com however when I put
  mywebsite.com is available for purchase - Sedo.com it shows nginx 404 Not Found error page
  b) When I type any random characters and append a file with php
  extension at the end (mywebsite.com is available for purchase - Sedo.com) there is a
  blank page.

Is it possible to set this up so Nginx will show Joomla error page if
someone try to access not existing directory/file on the web server.
Please note that I don’t want to set custom error pages in Nginx config
file for now as this feature works fine with Apache - I can access any
not existing file/directory on Apache web server and it always shows
Joomla error page.

Regards

Posted at Nginx Forum:

Hello!

On Thu, Jun 09, 2011 at 10:53:58AM -0400, HTF wrote:

Hello,

I would like to ask for some help.

1. Does Nginx support SHA encryption for the basic web authentication?
   When I use -s switch with htpasswd command I can’t log in. It works with

No. In 1.0.3+ there are support for {SSHA} (salted/seeded SHA, see
[1]). Probably {SHA} should be added two, for compatibility
reasons. Though please note that it’s notably less secure than
{SSHA} as it’s not salted and hence vulnerable to rainbow table
attacks.

[1] OpenLDAP Faq-O-Matic: What are {SHA} and {SSHA} passwords and how do I generate them?

MD5 however it looks like MD5 has some character length limitation as
only the first eight characters are significant.

By MD5 you mean $apr1$ password scheme, as generated by htpasswd
-m? It’s supported since 1.0.3 and don’t have any length
limitations.

extension at the end (mywebsite.com is available for purchase - Sedo.com) there is a
blank page.

It looks like you have “location ~ .html$” and “location ~
.php$” which match (a) and (b) and you don’t have any Joomla
fallback there. If you want to pass anything non-existant to
Joomla - make sure to actually pass anything.

Maxim D.

Hello,

Thanks for reply. I really appreciate your help.

Maxim D. Wrote:

By MD5 you mean $apr1$ password scheme, as
generated by htpasswd
-m? It’s supported since 1.0.3 and don’t have any
length
limitations.

Yes, that’s correct. I’ve created my password without any additional
switch so I assumed it’s MD5 (htpasswd -m), the password is:

• “abcdefhi12” - however I can log in when I type only first eight
  characters “abcdeghi”

It looks like you have “location ~ .html$” and
“location ~
.php$” which match (a) and (b) and you don’t have
any Joomla
fallback there. If you want to pass anything
non-existant to
Joomla - make sure to actually pass anything.

Could you please help me with this. I add the ‘default_server’ to the
“location ~ .html$”. Do I have to set anything else?

Regards

Posted at Nginx Forum:

Maxim D. Wrote:

nal_DES-based_scheme
OK, I tried both switches -m (MD5) and -s (SHA) and I wasn’t able to log
in. The log file shows “password mismatch”. The only method that works
is DES (htpasswd without any switch). Do I have to install some
additional module or so?

(and no other locations)

Alternatively you may add try_files to .html /
.php locations.

I had the default location for php “location ~ .php$” and when I
changed to “location = /index.php” all none existing pages are
redirected to Joomla error page - which is great however “index.html”
still shows Nginx error page (index.htm shows Joomla error page) - I’m
very close. I also noticed that now when I access some directories the
web browser is trying to downland files.

Posted at Nginx Forum:

On 9 Jun 2011 22h43 WEST, [email protected] wrote:

I had the default location for php “location ~ .php$” and when I
changed to “location = /index.php” all none existing pages are
redirected to Joomla error page - which is great however
“index.html” still shows Nginx error page (index.htm shows Joomla
error page) - I’m very close. I also noticed that now when I access
some directories the web browser is trying to downland files.

It’s because you haven’t specified an index directive with index.php
as a value somewhere in your
config. Cf. http://wiki.nginx.org/HttpIndexModule

— appa

António P. P. Almeida Wrote:

It’s because you haven’t specified an index
directive with index.php
as a value somewhere in your
config. Cf. http://wiki.nginx.org/HttpIndexModule

I have specified an index directive - it’s just not working with
“location = /index.php”. It works with “location ~ .php$” but then I
have the other issue mentioned previously in this thread.

Posted at Nginx Forum:

Hello!

On Thu, Jun 09, 2011 at 01:01:05PM -0400, HTF wrote:

limitations.

Yes, that’s correct. I’ve created my password without any additional
switch so I assumed it’s MD5 (htpasswd -m), the password is:

• “abcdefhi12” - however I can log in when I type only first eight
  characters “abcdeghi”

Without any switches htpasswd used to produce traditional DES crypt
passwords on unix, they are indeed limited to 8 chars (see [1]). In
recent versions default was changed to produce $apr1$ instead, but
this wasn’t long ago.

[1]

It looks like you have “location ~ .html$” and
“location ~
.php$” which match (a) and (b) and you don’t have
any Joomla
fallback there. If you want to pass anything
non-existant to
Joomla - make sure to actually pass anything.

Could you please help me with this. I add the ‘default_server’ to the
“location ~ .html$”. Do I have to set anything else?

default_server isn’t related to location at all, it’s listen
directive option.

Simple config which should work will look like

server {
listen …
server_name …
root …

location / {
    try_files $uri $uri/ /index.php?q=$request_uri;
}

location = /index.php {
    fastcgi_pass ...
}

}

(and no other locations)

Alternatively you may add try_files to .html / .php locations.

Maxim D.

On 10 Jun 2011 18h48 WEST, [email protected] wrote:

There’s probably something wrong with your config to make that
happen, but this should make it work.

location / {
(…)
error_page 404 = /index.php;
}

— appa

I’ve set try_files to .html & .php locations as advised by Maxim and
everything works fine except “index.html” - it’s still pointing to Nginx
error page instead of Joomla 404 error page. Is there a way to fix
this?

Can someone explain to me what’s the difference between “location =
/index.php” and “location ~ .php$” and why the fist one is trying to
open/download files in the web browser.

I still can’t get the web authentication to work with MD5 or SHA
encryption. I think that I’m missing some module to support this.

Thanks for help so far.

Posted at Nginx Forum:

Hello,

I still have some issue with this configuration. I restricted access to
admin back end:

location /administrator {
auth_basic “Authorized Access Only!”;
auth_basic_user_file .userdb;
}

• however when I add index.php file to the URl
  (mydomain.com/administrator/index.php) the nginx just allow me to access
  this part of the website without authentication.
  I modified above configuration to:

location ^~ /administrator {
auth_basic “Authorized Access Only!”;
auth_basic_user_file .userdb;
}

• then even if I append index.php it’s still ask me for login
  credentials but when I logged in the web browser is trying to download a
  file instead of opening the website.

Can someone point me to the right direction please as this problem
persist even with the nginx default config files/configuration examples.

Posted at Nginx Forum:

Could you please have a look on my config files:

NGINX.CONF
"user nginx;
worker_processes 4;

error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;

pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local]

“$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;

access_log /var/log/nginx/access.log main;

Size Limits

client_body_buffer_size 8k;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 1 1k;

Timeouts

client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 60 60;
send_timeout 60;

General Options

ignore_invalid_headers on;
limit_zone gulag $binary_remote_addr 1m;
recursive_error_pages on;
sendfile on;
server_name_in_redirect off;
server_tokens off;

TCP options

tcp_nodelay on;
tcp_nopush on;

Compression

gzip on;

gzip_static on;

gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css image/x-icon image/bmp;
gzip_vary on;
gzip_disable “MSIE [1-6].(?!.SV1)";
#
# The default server
# Load config files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/.conf;
}”

VIRTUAL.CONF
"server {
listen mydomain.com default_server;

server_name mydomain.com www.mydomain.com;

root /home/web/mydomain.com;
index index.php index.html index.htm /index.php;

add_header Cache-Control public;
expires 31d;

Only allow these request methods

  if ($request_method !~ ^(GET|HEAD|POST)$ ) {
     return 444;
  }

Deny illegal Host headers

  if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
    return 444;
  }

Deny certain User-Agents (case insensitive)

 ## The ~* makes it case insensitive as opposed to just a ~
 if ($http_user_agent ~* (Baiduspider|Jullo) ) {
    return 444;
 }

Deny certain Referers (case insensitive)

 ## The ~* makes it case insensitive as opposed to just a ~
 if ($http_referer ~*

(babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo)
) {
return 444;
}

Redirect from www to non-www

  if ($host = 'www.mydomain.com' ) {
    rewrite  ^/(.*)$  http://domain.com/$1  permanent;
  }

Serve an empty 1x1 gif OR an error 204 (No Content) for

favicon.ico
location = /favicon.ico {
#empty_gif;
return 204;
}
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
}

location /administrator {
auth_basic “Authorized Access Only!”;
auth_basic_user_file .userdb;
}
#Rewrite rules
large_client_header_buffers 4 8k;

serve static files directly

location ~* .(jpg|jpeg|gif|css|png|js|ico|html)$ {
#location ~*
.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$
{
access_log off;
expires max;
}

location ~ .php$ {
#location = /index.php {
#root html;
root /home/web/mydomain.com;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
/home/web/mydomain.com$fastcgi_script_name;
include fastcgi_params;
try_files $uri $uri/ /index.php?q=$request_uri;
}

location ~ /. {
deny all;
}
location ~ /(.+).xml$ {
deny all;
}
}"

Posted at Nginx Forum:

Maxim D. Wrote:

for protected static files and one for protected
fastcgi_pass …
…
}
}

Hello,

Thank you.

Is this recommended/only configuration for this in my case - according
to wiki from the link above (>
http://wiki.nginx.org/HttpCoreModule#location):
"While nested locations are allowed by the configuration file parser,
their use is discouraged and may produce unexpected results. "

Also could you please advise why the SHA and MD5 encryption for the
basic authentication is not working for me. I receive password mismatch
errors in the log files

Posted at Nginx Forum:

Hello!

On Sat, Jun 11, 2011 at 04:55:28AM -0400, HTF wrote:

• however when I add index.php file to the URl
  credentials but when I logged in the web browser is trying to download a
  file instead of opening the website.

Can someone point me to the right direction please as this problem
persist even with the nginx default config files/configuration examples.

nginx uses only one configuration to process request, please see
here:

http://wiki.nginx.org/HttpCoreModule#location

If you want /administrator to be protected, but still want php
processed there, you have to define two locations for this: one
for protected static files and one for protected php files.

Using nested location simple config will look like:

location ^~ /administrator {
    auth_basic ...
    ...

    location ~ \.php$ {
        fastcgi_pass ...
        ...
    }
}

Maxim D.

What does nginx -v show?

It’s a CentOS 5.6 64 bit install with Nginx from EPEL repository:

• nginx version: nginx/0.8.54

Regards

Posted at Nginx Forum:

Hello!

On Tue, Jun 14, 2011 at 11:21:52PM -0400, HTF wrote:

processed there, you have to define two locations

Is this recommended/only configuration for this in my case - according
to wiki from the link above (>
http://wiki.nginx.org/HttpCoreModule#location):
"While nested locations are allowed by the configuration file parser,
their use is discouraged and may produce unexpected results. "

There were problems with nested locations somewhere near 0.7.*.
They were resolved, wiki is just stale.

Also could you please advise why the SHA and MD5 encryption for the
basic authentication is not working for me. I receive password mismatch
errors in the log files

What does nginx -v show?

Maxim D.

Hello!

On Wed, Jun 15, 2011 at 08:34:10AM -0400, HTF wrote:

What does nginx -v show?

It’s a CentOS 5.6 64 bit install with Nginx from EPEL repository:

• nginx version: nginx/0.8.54

As I already said, $apr1$ support was added in 1.0.3. There is no
surprise it doesn’t work for you in 0.8.54.

Maxim D.

Hello!

On Thu, Jul 07, 2011 at 11:14:27AM -0400, tsaavik wrote:

I wonder if it is feasible to add the following to ngx_crypt.c to be
more compatible with the output of htpasswd? Please note, I’m no
cryptologist and barely a programmer, but I do sleep in Holiday Inns.

Your patch will work as {SHA} is identical to {SSHA} with an
empty salt. But I’m not really sure we want to support {SHA} at
all as it’s vulnerable to rainbow table attacks and really isn’t
secure. You shouldn’t use it unless you really need compatibility
with some old software.

Please also note that $apr1$ (as generated by htpasswd -m, aka
apache md5) is more secure than both {SHA} and {SSHA}. If you
just want something compatible with Apache and secure - use $apr1$
instead.

Maxim D.

Maxim D. Wrote:

1. Does Nginx support SHA encryption for the basic web
   authentication?
   When I use -s switch with htpasswd command I can’t log in…

I ran into this issue just the other day with htpasswd -s. I noticed
that if I modified the output of htpasswd from {SHA} to {SSHA} I was
able to use the generated password with nginx 1.0.4.

I wonder if it is feasible to add the following to ngx_crypt.c to be
more compatible with the output of htpasswd? Please note, I’m no
cryptologist and barely a programmer, but I do sleep in Holiday Inns.

— ngx_crypt.c.orig 2011-07-07 08:10:36.814068671 -0700
+++ ngx_crypt.c 2011-07-07 08:11:26.670068063 -0700
@@ -42,6 +42,8 @@
#if (NGX_HAVE_SHA1)
} else if (ngx_strncmp(salt, “{SSHA}”, sizeof(“{SSHA}”) - 1) == 0)
{
return ngx_crypt_ssha(pool, key, salt, encrypted);

• } else if (ngx_strncmp(salt, “{SHA}”, sizeof(“{SHA}”) - 1) == 0) {

•    return ngx_crypt_ssha(pool, key, salt, encrypted);
  

#endif
}

45,46d44
< } else if (ngx_strncmp(salt, “{SHA}”, sizeof(“{SHA}”) - 1) == 0)
{
< return ngx_crypt_ssha(pool, key, salt, encrypted);

Posted at Nginx Forum: