Basic HTTP Authentication & PHP-FastCGI

Phillip B Oldham phill at
Wed Jul 23 13:58:08 MSD 2008

Igor Clark wrote:
> On 23 Jul 2008, at 10:27, Phillip B Oldham wrote:
>> Yep, just like that.
> I could be wrong but I think that this only happens once Apache has 
> already done the authorisation and granted access to the resource.
Not necessarily. If you connect to the resource using those variables are accessible. 
Authorisation happens within PHP.
>> I thought nginx would have to pass the user/pass through to PHP via 
>> the fastcgi params?
> As I understand it, if PHP sends HTTP/1.1 401 Unauthorized then the 
> browser should ask the user for credentials, and then send them back 
> through the Authorization header. If this is in a location block 
> without auth_basic, then nginx will pass this header through to PHP, 
> and PHP can base64-decode the credentials, do what it needs to do in 
> order to work out whether they're good credentials, and then return a 
> 200 or another 401 appropriately. You may need to set 
> fastcgi_pass_header Authorization, I'm not sure - I've seen this 
> referred to in various nginx configs on the web but the version of 
> nginx I have on hand to test (0.5.35) seems to pass the 
> HTTP_AUTHORIZATION header through with or without this setting.
Thanks. I'll test with the "fastcgi_pass_header Authorisation" and see 
where I get.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phill.vcf
Type: text/x-vcard
Size: 261 bytes
Desc: not available
URL: <>

More information about the nginx mailing list