Protect a specific php file

Server NGINX
1

Hello,

On my server I have a php app in a subfolder of my root, so basically
I’ve made the following nginx configuration :

server {
listen 80;
server_name www.domain.fr;
root /var/www/domain.fr;
access_log /var/log/nginx/access.log ;
location /myapp {
location ~ .php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
}

And it’s work now in this app I want to protect the index.php file and
only this one, so I try this :

    location /myapp {
            location ^~ /myapp/index.php {
                    auth_basic            "Private Section";
                    auth_basic_user_file  $document_root/.htpasswd;
                    location ~ \.php$ {
                            include

/etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
location ~ .php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}

I had to duplicate the php location, is there an another way ?

It work with IE8 but not with Chrome !!

With Chrome the complete URL (http://www.domain.fr/myapp/index.php) is
correctly protected but not this one http://www.domain.fr/myapp/
In this case the php file is downloaded…

Any idea why ? Any solution ?

Thanks a lot

Posted at Nginx Forum:

2

On 12 Jan 2012 16h21 WET, [email protected] wrote:

Hello,

Any idea why ? Any solution ?

Yes. Duplicate the FCGI setup in the /myapp/index.php location.

            location ^~ /myapp/index.php {
                auth_basic "Private Section";
                auth_basic_user_file  $document_root/.htpasswd;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME

$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}

— appa

3

It was already duplicate like this :

location ^~ /myapp/index.php {
auth_basic “Private Section”;
auth_basic_user_file $document_root/.htpasswd;
location ~ .php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}

The inside location ~ .php$ is silly because so I remove it like you
said, but no change.

By the way the problem is not when I use the complete url
(http://www.domain.fr/myapp/index.php) but when I don’t add the
index.php page (http://www.domain.fr/myapp/)

Posted at Nginx Forum:

4

After some test I can give more detail.

In fact my app isn’t directly in a subdirectory of my root, but in a
subdir of a subdir of the root.

root = /var/www/domain.fr;
myapp = /var/www/domain.fr/test/myapp

If I put it directly in a subdir of root it work

Here is my real conf :

server {
listen 80;
server_name www.domain.fr;
root /var/www/domain.fr ;
access_log /var/log/nginx/access.log ;
location / {
deny all;
}

    location /test/myapp {
            index  index.php;
            location ^~ /test/myapp/index.php {
                    auth_basic            "Section privee";
                    auth_basic_user_file

$document_root/test/myapp/.htpasswd;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}

            location ~ \.php$ {
                    include         /etc/nginx/fastcgi_params;
                    fastcgi_param   SCRIPT_FILENAME

$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
}

With : http://www.domain.fr/test/myapp/index.php, password asked
With : http://www.domain.fr/test/myapp, no password asked, php file
downloaded

Posted at Nginx Forum:

5

On Fri, Jan 13, 2012 at 06:13:28AM -0500, voidandany wrote:

Hi there,

With : http://www.domain.fr/test/myapp/index.php, password asked
With : http://www.domain.fr/test/myapp, no password asked, php file
downloaded

Your configuration looks like it should not result in what you report.

When I use a very similar config with 1.1.11, I do not see what you
report, and I do see what you expect.

With the following config:

==
server {
listen 8000;
include fastcgi.conf;

    location / {
        deny all;
    }

    location /test/myapp {
        index index.php;
        location ^~ /test/myapp/index.php {
            auth_basic            "Section privee";
            auth_basic_user_file

$document_root/test/myapp/.htpasswd;
fastcgi_pass unix:php.sock;
}
location ~ .php$ {
fastcgi_pass unix:php.sock;
}
}
}

==

curl -i http://localhost:8000/test returns 403 (Forbidden)
curl -i http://localhost:8000/test/myapp returns 301 (Moved to
/test/myapp/)
curl -i http://localhost:8000/test/myapp/ returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/ returns 200 (output of
index.php)
curl -i http://localhost:8000/test/myapp/index.php returns 401
(Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/index.php returns 200
(output of index.php)
curl -i http://localhost:8000/test/myapp/other.php returns 200 (output
of other.php)

The extra things I would point out are that you allow simple downloading
of all other content that begins with the location /test/myapp, which
includes /test/myapp2 (if that directory exists), and which also
includes
/test/myapp/.htpasswd; and from the configuration shown, it’s probably
more elegant to use “=” instead of “^~” in the nested location.

So, what’s different between your test and mine?

Are there any other location{}s defined in your config? Did the browser
you were testing with have an empty cache, so that you saw the request
in access.log?

Good luck with it,

f

Francis D. [email protected]

6

It seems resolved, during my test I have downloaded the php file and my
browser put it in cache so every time the web server respond the browser
serve the file in cache.
It explain why it worked with IE (file not in cache) but not with
Chrome…

Sorry for losing your time and many thanks to you Francis for the time
you spent making test

Posted at Nginx Forum: