Basic HTTP Authentication & PHP-FastCGI
igor at pokelondon.com
Wed Jul 23 14:14:34 MSD 2008
On 23 Jul 2008, at 10:58, Phillip B Oldham wrote:
> Igor Clark wrote:
>> On 23 Jul 2008, at 10:27, Phillip B Oldham wrote:
>>> Yep, just like that.
>> I could be wrong but I think that this only happens once Apache has
>> already done the authorisation and granted access to the resource.
> Not necessarily. If you connect to the resource using http://user:firstname.lastname@example.org
> those variables are accessible. Authorisation happens within PHP.
Ah, OK. Prepending credentials to the URL simply makes the browser
send the Authorization: header on the first request, but I see from http://php.net/features.http-auth
that, as you say, Apache's mod_php adds PHP_AUTH_USER and
PHP_AUTH_PW to PHP's $_SERVER array whenever the Authorization header
is presented, whether originating from Apache or PHP. Gotcha.
>>> I thought nginx would have to pass the user/pass through to PHP
>>> via the fastcgi params?
>> As I understand it, if PHP sends HTTP/1.1 401 Unauthorized then the
>> browser should ask the user for credentials, and then send them
>> back through the Authorization header. If this is in a location
>> block without auth_basic, then nginx will pass this header through
>> to PHP, and PHP can base64-decode the credentials, do what it needs
>> to do in order to work out whether they're good credentials, and
>> then return a 200 or another 401 appropriately. You may need to set
>> fastcgi_pass_header Authorization, I'm not sure - I've seen this
>> referred to in various nginx configs on the web but the version of
>> nginx I have on hand to test (0.5.35) seems to pass the
>> HTTP_AUTHORIZATION header through with or without this setting.
> Thanks. I'll test with the "fastcgi_pass_header Authorisation" and
> see where I get.
Igor Clark • POKE • 10 Redchurch Street • E2 7DD • +44 (0)20 7749 5355
More information about the nginx