Disabling basic_auth with rewrites

Igor Sysoev igor at sysoev.ru
Thu May 19 23:16:56 MSD 2011


On Thu, May 19, 2011 at 10:10:59PM +0400, Maxim Dounin wrote:
> Hello!
> 
> On Thu, May 19, 2011 at 12:43:03PM -0400, klausi wrote:
> 
> > Maxim Dounin Wrote:
> > -------------------------------------------------------
> > > 
> > >     location / {
> > >         auth_basic "protected";
> > >         auth_basic_user_file
> > > /etc/nginx/htpasswd/protected;
> > >         ...
> > > 
> > >         location ~ \.php$ {
> > >             fastcgi_pass ...
> > >             ...
> > >         }
> > >     }
> > > 
> > >     location /feeds/importer/ {
> > >         ...
> > > 
> > >         location ~ \.php$ {
> > >             fastcgi_pass ...
> > >             ...
> > >         }
> > >     }
> > 
> > Thanks for the quick reply, nested locations are nice, but they do not
> > help in this special case. A request to /feeds/importer/* has to be
> > rewritten to /index.php?q=feeds/importer/* and that should not be
> > protected. Is unprotecting a path with a special query possible at all?
> 
> Ah, sorry, I missed you actually want /feeds/importer/... to be 
> fully handled by index.php.  This makes configuration even 
> simplier:
> 
>     location / {
>         auth_basic ...
>         ...
> 
>         location ~ \.php$ {
>             fastcgi_pass ...
>             ...
>         }
>     }
> 
>     location /feeds/importer/ {
>         rewrite ^/(.*) /index.php?q=$1? break;
> 
>         fastcgi_pass ...
>         ...
>     }
>  
> Note that the only goal of rewrite is to properly change url while 
> correctly escaping new arguments and stripping old ones (note 
> trailing '?'), as you probably don't want to allow unauthenticated 
> users to supply arbitrary arguments to your index.php.  Due to 
> 'break' request doesn't leave the location in question after 
> rewrite and processed there.

My suggestion is to not use rewrite at all:

     location /feeds/importer/ {
         location ~ ^/(.*) {
             fastcgi_pass    ...
             fastcgi_param   SCRIPT_FILENAME  /path/to/index.php;
             fastcgi_param   QUERY_STRING     q=$1;
             ...
         }


-- 
Igor Sysoev



More information about the nginx mailing list