HT Auth Problem

matt91 · June 6, 2009, 3:16pm

I am having a problem with HT Auth where it will protect the directory
and all files in it except the php files, I think this is a problem with
nginx passing all php files for processing by fcgi before the
authentication. For example mysite.com/imnottelling/ and
mysite.com/imnottelling/hello.html is protected however
mysite.com/imnottelling/anything.php is not. Here is my virtual host
config file for the domain:

server {
listen 81;

server_name tributes-direct.co.uk www.tributes-direct.co.uk
*.tributes-direct.co.uk;

access_log /var/log/nginx/localhost.access.log;

rewrite ^/adamcarter$
/tributedetails.php?name=elvis_adam_carter&page=1 break;
rewrite ^/bg_sound_([^]*).xspf$
/includes/bg_audio_player/bg_sound.php?tributeid=$1 break;
rewrite ^/adamcarter$
/tributedetails.php?name=elvis_adam_carter&page=1 break;
rewrite ^/elvis$ /tributeindex.php?artiste=elvis break;
rewrite ^/([^/])$ /tributedetails.php?name=$1 break;
rewrite ^/_(.)/page/(.)$ /tributedetails.php?name=$1&page=$2 break;
rewrite ^/_(.)/art/(.)$ /tributedetails.php?name=$1&artisteid=$2
break;
rewrite ^/_(.)/cat/(.*)$ /tributedetails.php?name=$1&cat=$2 break;

location / {
root /var/www/tributes-direct.co.uk;
index index.php index.html index.htm;
}
location /imnottelling/* {
root /var/www/tributes-direct.co.uk;
index index.php index.html index.htm;
auth_basic “Restricted”;
auth_basic_user_file
/var/www/tributes-direct.co.uk/imnottelling/.htpasswd;
}

#error_page 404 /var/www/err/404.html;

redirect server error pages to the static page /50x.html

#error_page 500 502 503 504 /50x.html;
#location = /50x.html {

root /var/www/err;

#}

location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
/var/www/tributes-direct.co.uk/$fastcgi_script_name;
include fastcgi_params;
}

serve static files directly
location ~ .(jpg|jpeg|gif|css|png|js|ico)$ {
access_log off;
expires 30d;
}

protect htaccess

location ~ /. {
deny all;
}
}

And yep, I know the .htpasswd is in an accessible location

Thank you for your help.

Matt

Posted at Nginx Forum:

matt91 · June 6, 2009, 5:22pm

Just to note “serve static files directly” is now commented out, this
was not the cause of the problem though.

Posted at Nginx Forum:

matt91 · June 6, 2009, 5:57pm

You have to use a nested location like
location /imnottelling {
auth_basic “Restricted”;
auth_basic_user_file /var/www/tributes-direct.co.uk/
imnottelling/.htpasswd;
location ~ .*.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/tributes-direct.co.uk/
imnottelling/$fastcgi_script_name;
include fastcgi_params;
}
}

Igor has warned that nested locations has bugs in inheritance but that
this one will work correctly.
http://marc.info/?l=nginx&m=124301482813284&w=2

Also a note its easier if you use
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
in your fastcgi_params. Then if you have your root’s set right and
redefined it will properly fill the correct SCRIPT_FILENAME without
you having to do it in each of your php blocks if you have multiple of
them. Just 1 less thing that is needed to be redefined.

Rob

matt91 · June 8, 2009, 12:23pm

The problem is clear and you have no need of nested locations (though
that is one possible solution and hints at the issue). Observe:

   location ~ \.php$ {
           fastcgi_pass   127.0.0.1:9000;
           fastcgi_index  index.php;
           fastcgi_param  SCRIPT_FILENAME

/var/www/tributes-direct.co.uk/$fastcgi_script_name;
include fastcgi_params;
}

This regular expression indeed covers all PHP files. There is no auth
here, so it does not ask for auth, only for the resources that ARE
under a location with auth. You can try a nested location, or you can
add a second more specific php handling location block that also has
auth in it, or you can make an internal location for PHP and pass back
to it for the regular expressions. The middle method is most
straightforward (and not demonstrated yet) and might be implemented
like so:

   location ~ ^/protectedstuff/.*\.php$ {
           auth_basic "Enter Credentials";
           auth_basic_user_file /path/to/auth;
           fastcgi_pass   127.0.0.1:9000;
           fastcgi_index  index.php;
           fastcgi_param  SCRIPT_FILENAME

/var/www/tributes-direct.co.uk/$fastcgi_script_name;
include fastcgi_params;
}