securing access to a folder - 404 error

mottwsc nginx-forum at
Tue Mar 19 00:10:47 UTC 2013

I was able to get partway through the problem with some help.  The basic
problem was that I had been missing a root directive in one of the location
blocks.  I was advised to (and did) move the root statement up to the server
block and comment it out from any sub-blocks. I have found that this now
works as it should to protect the /secure folder when trying to view html
files, but it does not when viewing php files in the /secure folder (it just
bypasses authentication and displays the file.  I must be missing something
in the /php block (I guess), but I'm not sure what that would be.

Any suggestions?

Here's the entire nginx config file....

server {
    listen       80;

    root  /var/www/html;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
    #   root   /var/www/html;
    # this statement allows static content to be served first
        try_files $uri $uri/ /index.php

        index  index.php  index.html index.htm;

    # protect the "secure" folder  ( /var/www/html/secure )
    location /secure/ {
    #   root  /var/www/html;
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    #   auth_basic_user_file /var/www/html/secure/.htpasswd;

    # protect the "munin" folder  ( /var/www/html/munin ) and subfolders
    location ^~ /munin/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;

    error_page  404              /404.html;
    location = /404.html {
    #   root   /var/www/html;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    #   root   /var/www/html;

    # proxy the PHP scripts to Apache listening on
    #location ~ \.php$ {
    #    proxy_pass;

    # pass the PHP scripts to FastCGI server listening on
    location ~ \.php$ {
    #   root    /var/www/html;
        try_files $uri =404;
    # the above was inserted to block malicious code uploads, but nginx and
    # the php-fcgi workers must be on the same physical server

        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    location ~ /\.ht {
        deny  all;

Posted at Nginx Forum:,237196,237518#msg-237518

More information about the nginx mailing list