auth_basic and file uploads.

Maxim Dounin mdounin at mdounin.ru
Thu Apr 11 11:00:27 UTC 2013


Hello!

On Thu, Apr 11, 2013 at 06:18:19PM +1200, Steve Holdoway wrote:

> Hi Folks,
> 
> I've got a magento site under development, and just want it to be
> password protected until it goes live. No problem I thought...
> 
> add in the auth_basic/auth_basic_user_file entries to the location /
> block.
> 
> However, when I do that, I get a password request for the upload...
> 
> 2013/04/11 05:12:40 [error] 9866#0: *31 no user/password was provided
> for basic authentication, client: Mmy IP>, server: example.com, request:
> "POST /index.php/admin/catalog_product_gallery/upload/key/<very long
> key> HTTP/1.1", host: "example.com"
> 
> 
> If I enclose the auth_basic/auth_basic_user_file entries in a
> limit_except POST block, then I can't log in, wcwn though it them works
> perfectly if I'm already logged in!
> 
> 
> Any pointers??

If your browser sees password request only on file uploads, it may 
not be able to get 401 (Unauthorized) response correctly and retry 
the request with authentication.  I would expect this to be very 
similar to 413 (Request Entity Too Large) handling by browsers, as 
explicitly mentioned here in docs:

http://nginx.org/r/client_max_body_size

Obvious solution is to require authentication before the upload.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list