auth_basic not requiring Authorization

Jim Ohlstein jim at ohlste.in
Fri Jul 1 20:19:36 MSD 2011 

On 7/1/11 11:58 AM, bindsocket wrote:
> Having a huge problem with the auth_basic.  Despite putting in the exact
> same lines as what I found in many examples, the web server is still
> allowing access even without sending any authorization.
> Relevent conf bits:
> 
> server {
>     listen 80;
>     server_name  my.servers.name.com;
>     log_format fullCombined '$remote_addr - $http_x_forwarded_for
> $remote_user [$time_local]  '
>                             '"$request" $http_content_length $status
> $body_bytes_sent '
>                             '"$http_referer" "$http_user_agent"';
>     access_log  /var/log/nginx/access.log fullCombined;
>     error_log /var/log/nginx/error.log;
> 
>     root /var/www/current/pub;
> 
>     client_body_buffer_size 1024k;
> 
> ## Default location
>     location / {
>         index  index.php;
> 
>         auth_basic "Ingester";
>         auth_basic_user_file .htpasswd;
> 
>         rewrite ^index.php(.*)$ /index.php?/$1 last;
>         if (!-f $request_filename) {
>                 rewrite ^/(.*)$ /index.php?/$1 last;
>                 break;
>         }
> 
>     }
> ## Parse all .php file in the /var/www directory
>     location ~ .php$ {
>         fastcgi_pass   backend;
>         fastcgi_index  index.php;
>         fastcgi_param  SCRIPT_FILENAME 
> $document_root$fastcgi_script_name;
>         include /etc/nginx/fastcgi_params;
>         fastcgi_param  QUERY_STRING     $query_string;
>         fastcgi_param  REQUEST_METHOD   $request_method;
>         fastcgi_param  CONTENT_TYPE     $content_type;
>         fastcgi_param  CONTENT_LENGTH   $content_length;
>         fastcgi_intercept_errors        on;
>         fastcgi_ignore_client_abort     off;
>         fastcgi_connect_timeout 60;
>         fastcgi_send_timeout 180;
>         fastcgi_read_timeout 180;
>         fastcgi_buffer_size 128k;
>         fastcgi_buffers 4 256k;
>         fastcgi_busy_buffers_size 256k;
>         fastcgi_temp_file_write_size 256k;
>     }

The above location block is outside the location block that handles PHP
scripts.

You may try

## Default location
    location / {
        index  index.php;

        auth_basic "Ingester";
        auth_basic_user_file .htpasswd;

        rewrite ^index.php(.*)$ /index.php?/$1 last;
        if (!-f $request_filename) {
                rewrite ^/(.*)$ /index.php?/$1 last;
                break;
        }

 	location ~ \.php {
	    fastcgi pass backend;
	    ...
	}

    }


Not also that this is an inefficient setup using "if". See
http://wiki.nginx.org/IfIsEvil. A "try_files" expression would be more
efficient.

Something like

server {

...

  location / {
        index  index.php;

        auth_basic "Ingester";
        auth_basic_user_file .htpasswd;

        rewrite ^index.php(.*)$ /index.php?/$1 last;
        try_files $uri $uri/ @rfallback;

 	location ~ \.php {
	    fastcgi pass backend;
	    ...
	}

    }

    location @fallback {
	rewrite ^/(.*)$ /index.php?/$1 last;
    }

    ...

}

> 
> ## Disable viewing .htaccess & .htpassword
>     location ~ /\.ht {
>         deny  all;
>     }
> }
> 
> Thanks in advance,
> Brian
> 
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,211601,211601#msg-211601
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx


-- 
Jim Ohlstein

More information about the nginx mailing list