Basic HTTP Authentication & PHP-FastCGI

Igor Clark igor at
Wed Jul 23 13:46:37 MSD 2008


On 23 Jul 2008, at 10:27, Phillip B Oldham wrote:

> mike wrote:
>> like PHP_AUTH_USER that Apache gives you and stuff?
> Yep, just like that.

I could be wrong but I think that this only happens once Apache has  
already done the authorisation and granted access to the resource.

>> you can do it purely in PHP:
> I thought nginx would have to pass the user/pass through to PHP via  
> the fastcgi params?

As I understand it, if PHP sends HTTP/1.1 401 Unauthorized then the  
browser should ask the user for credentials, and then send them back  
through the Authorization header. If this is in a location block  
without auth_basic, then nginx will pass this header through to PHP,  
and PHP can base64-decode the credentials, do what it needs to do in  
order to work out whether they're good credentials, and then return a  
200 or another 401 appropriately. You may need to set  
fastcgi_pass_header Authorization, I'm not sure - I've seen this  
referred to in various nginx configs on the web but the version of  
nginx I have on hand to test (0.5.35) seems to pass the  
HTTP_AUTHORIZATION header through with or without this setting.


Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20 7749 5355  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list