Protect /analytics on Nginx with basic authentication, but allow access to .php and .js files??

lmm5247 nginx-forum at
Wed Feb 11 16:45:46 UTC 2015

Hey folks, Nginx noob here. I also posted here with no luck yet:,123492

I have Piwik setup and running on a Nginx webserver that I protected with
HTTP basic authentication, as seen below.

location /analytics {
alias /var/www/piwik/;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/pass;
try_files $uri $uri/ /index.php;

location ~ ^/analytics(.+\.php)$ {
alias /var/www/piwik$1;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

I have it protected, but it's prompting to login on every page, due to the
piwik.php and piwik.js files (necessary for analytics) being in my protected
directory. This is described on Piwik's website, below.

"If you use HTTP Authentication (Basic or Digest) on your Piwik files, you
should exclude piwik.php and piwik.js from this authentication, or visitors
on your website would be prompted with the authentication popup."

My question is: what kind of Nginx rule can I use to protect all files in
that directory, besides those two? Is it possible to do a negative regex
match on a location block?

Any help would be appreciated!

Posted at Nginx Forum:,256585,256585#msg-256585

More information about the nginx mailing list