Troubles with http basic authentication.

Maxim Dounin mdounin at mdounin.ru
Sat Sep 29 21:15:01 MSD 2007


Hello!

On Fri, 28 Sep 2007, Matteo Niccoli wrote:

> I'm trying to enable basic authentication for a location like this:
>
> location /admin {
>                        auth_basic      "Restricted";
>                        auth_basic_user_file /tmp/.trypass;
>                        index index.php5;
>                        allow 192.168.1.1;
>                        deny all;
>                }
>
> When I try to connect to this location, if I use:
>
> http://$servername/admin/ and I press Esc two times, nginx give me
> out: 401 Authorization Required
>
> If I try to connect to:
>
> http://$servername/admin/index.php5 and I press Esc two times,
> nginx allow me the access also if I don't have insert username and
> password.
>
> It's my mistake or it's a bug?

It's you mistake. You should understand, that request in nginx processed 
according to configuration in most-specific location. So your location 
"location /admin/" with authorization turned on won't influence request 
processing at all if you have more specific location to handle you php 
scripts.

Authorization works for the first type of request (without index.php5 
explicitly specified) because it's actually processed twice - once to find 
out the new request url (according to index directive in your /admin/ 
location) and again to handle /admin/index.php5 request.

You should use something like this:

location /admin/ {
     auth_basic ...
}
location ~ ^/admin/.*\.php5$ {
     auth_basic ...
     fastcgi_pass ...
}

NB: regex locations are processed in order, so you should specify 
"location ~ ^/admin/.*\.php5$" before your generic .php5 location.

Maxim Dounin





More information about the nginx mailing list