securing access to a folder - 404 error

Francis Daly francis at
Tue Mar 19 09:11:26 UTC 2013

On Mon, Mar 18, 2013 at 08:10:47PM -0400, mottwsc wrote:

Hi there,

> I have found that this now
> works as it should to protect the /secure folder when trying to view html
> files, but it does not when viewing php files in the /secure folder (it just
> bypasses authentication and displays the file.  I must be missing something
> in the /php block (I guess), but I'm not sure what that would be.

Your "php" block doesn't have any mention of auth_basic, and so basic
authentication does not apply there.

> Any suggestions?

One request is handled in one location. You must have all of the
configuration that you want, available in the one location that handles
a specific request.

The "location" blocks you have are as follows.

>     location / {
>     location /secure/ {
>     location ^~ /munin/ {
>     location = /404.html {
>     location = /50x.html {
>     location ~ \.php$ {
>     location ~ /\.ht {

The documentation (, for example) should tell
you exactly which location{} is used for each request you make.

What you want is a location for "secure php" -- either "location ~
php" inside "location ^~ /secure/"; or else something like "location ~
^/secure/.*php" in which both auth_basic and fastcgi_pass apply.

Francis Daly        francis at

More information about the nginx mailing list