Basic HTTP Authentication & PHP-FastCGI

Igor Clark igor at
Wed Jul 23 14:14:34 MSD 2008

On 23 Jul 2008, at 10:58, Phillip B Oldham wrote:

> Igor Clark wrote:
>> On 23 Jul 2008, at 10:27, Phillip B Oldham wrote:
>>> Yep, just like that.
>> I could be wrong but I think that this only happens once Apache has  
>> already done the authorisation and granted access to the resource.
> Not necessarily. If you connect to the resource using 
>  those variables are accessible. Authorisation happens within PHP.

Ah, OK. Prepending credentials to the URL simply makes the browser  
send  the Authorization: header on the first request, but I see from 
  that, as you say, Apache's mod_php adds PHP_AUTH_USER and  
PHP_AUTH_PW to PHP's $_SERVER array whenever the Authorization header  
is presented, whether originating from Apache or PHP. Gotcha.

>>> I thought nginx would have to pass the user/pass through to PHP  
>>> via the fastcgi params?
>> As I understand it, if PHP sends HTTP/1.1 401 Unauthorized then the  
>> browser should ask the user for credentials, and then send them  
>> back through the Authorization header. If this is in a location  
>> block without auth_basic, then nginx will pass this header through  
>> to PHP, and PHP can base64-decode the credentials, do what it needs  
>> to do in order to work out whether they're good credentials, and  
>> then return a 200 or another 401 appropriately. You may need to set  
>> fastcgi_pass_header Authorization, I'm not sure - I've seen this  
>> referred to in various nginx configs on the web but the version of  
>> nginx I have on hand to test (0.5.35) seems to pass the  
>> HTTP_AUTHORIZATION header through with or without this setting.
> Thanks. I'll test with the "fastcgi_pass_header Authorisation" and  
> see where I get.

Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20 7749 5355  

More information about the nginx mailing list