Forum: NGINX Location recursive downloads php files

2974d09ac2541e892966b762aad84943?d=identicon&s=25 Peleke (Guest)
on 2013-07-20 23:02
(Received via mailing list)
I try to secure a specific folder and all files and subfolders with this
location block:

    location ^~ /folder1/admin {
        auth_basic  "Login";
        auth_basic_user_file
/var/www/domain.tld/www/folder1/admin/.htpasswd;
    }

With this code nginx offers always to download the php files.

With this code everything works as expected except that files and
subfolders
are not secured:

    location /folder1/admin {
        auth_basic  "Login";
        auth_basic_user_file
/var/www/domain.tld/www/folder1/admin/.htpasswd;
    }

Why is that and how can I fix the problem from the first block?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241080,241080#msg-241080
36a8284995fa0fb82e6aa2bede32adac?d=identicon&s=25 Francis Daly (Guest)
on 2013-07-21 10:05
(Received via mailing list)
On Sat, Jul 20, 2013 at 05:01:39PM -0400, Peleke wrote:

Hi there,

>
> With this code everything works as expected except that files and subfolders
> are not secured:
>
>     location /folder1/admin {
>         auth_basic  "Login";
>         auth_basic_user_file
> /var/www/domain.tld/www/folder1/admin/.htpasswd;
>     }
>
> Why is that and how can I fix the problem from the first block?

In nginx, one request is handled in one location.

http://nginx.org/r/location describes the rules, so that you can know
which one location will be used for a particular request.

In the above location{} blocks, you give no indication of what nginx
should do with the request, so it uses its default of "serve it from
the filesystem".

The difference between your two observations is that in the first case,
the location{} block is used for the request that you made; and in the
second case, the location{} block is not used.

To fix your configuration, you must put all of the configuration that
you want to apply to a request, in the one location{} that handles
that request.

  f
--
Francis Daly        francis@daoine.org
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Peleke (Guest)
on 2013-07-21 19:09
(Received via mailing list)
Okay, it works if I add this:

    location ^~ /folder1/admin {
        auth_basic  "Login";
        auth_basic_user_file
/var/www/domain.tld/www/folder1/admin/.htpasswd;
            location ~ \.php$ {
                #limit_req zone=limit burst=5 nodelay;
                try_files $uri =404;
                #fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_intercept_errors off;
                fastcgi_read_timeout 120;
                fastcgi_buffers 256 4k;
                fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
                include /etc/nginx/fastcgi_params;
            }
    }

    ##
    # Pass PHP-Files To Socket
    ##

    location ~ \.php$ {
        #limit_req zone=limit burst=5 nodelay;
        try_files $uri =404;
        #fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_intercept_errors off;
        fastcgi_read_timeout 120;
        fastcgi_buffers 256 4k;
        fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }

But that is redundancy and can be complicated if you have many of those
entries and then want to change a .php setting (you have to do it
multiple
times).
Isn't it possible to make it simpler?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,241080,241094#msg-241094
36a8284995fa0fb82e6aa2bede32adac?d=identicon&s=25 Francis Daly (Guest)
on 2013-07-21 22:17
(Received via mailing list)
On Sun, Jul 21, 2013 at 01:08:18PM -0400, Peleke wrote:

Hi there,

> Okay, it works if I add this:
>
>     location ^~ /folder1/admin {
<snip>
>             location ~ \.php$ {
<snip>
>             }
>     }

>     location ~ \.php$ {
<snip>
>     }

> But that is redundancy and can be complicated if you have many of those
> entries and then want to change a .php setting (you have to do it multiple
> times).
> Isn't it possible to make it simpler?

Yes.

Either use an external-to-nginx thing to create the complicated config
file from less complicated parts; or put the repeated parts in a file
and
"include" it.

http://nginx.org/r/include

  f
--
Francis Daly        francis@daoine.org
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.