Disabling basic_auth with rewrites
Igor Sysoev
igor at sysoev.ru
Thu May 19 23:16:56 MSD 2011
On Thu, May 19, 2011 at 10:10:59PM +0400, Maxim Dounin wrote:
> Hello!
>
> On Thu, May 19, 2011 at 12:43:03PM -0400, klausi wrote:
>
> > Maxim Dounin Wrote:
> > -------------------------------------------------------
> > >
> > > location / {
> > > auth_basic "protected";
> > > auth_basic_user_file
> > > /etc/nginx/htpasswd/protected;
> > > ...
> > >
> > > location ~ \.php$ {
> > > fastcgi_pass ...
> > > ...
> > > }
> > > }
> > >
> > > location /feeds/importer/ {
> > > ...
> > >
> > > location ~ \.php$ {
> > > fastcgi_pass ...
> > > ...
> > > }
> > > }
> >
> > Thanks for the quick reply, nested locations are nice, but they do not
> > help in this special case. A request to /feeds/importer/* has to be
> > rewritten to /index.php?q=feeds/importer/* and that should not be
> > protected. Is unprotecting a path with a special query possible at all?
>
> Ah, sorry, I missed you actually want /feeds/importer/... to be
> fully handled by index.php. This makes configuration even
> simplier:
>
> location / {
> auth_basic ...
> ...
>
> location ~ \.php$ {
> fastcgi_pass ...
> ...
> }
> }
>
> location /feeds/importer/ {
> rewrite ^/(.*) /index.php?q=$1? break;
>
> fastcgi_pass ...
> ...
> }
>
> Note that the only goal of rewrite is to properly change url while
> correctly escaping new arguments and stripping old ones (note
> trailing '?'), as you probably don't want to allow unauthenticated
> users to supply arbitrary arguments to your index.php. Due to
> 'break' request doesn't leave the location in question after
> rewrite and processed there.
My suggestion is to not use rewrite at all:
location /feeds/importer/ {
location ~ ^/(.*) {
fastcgi_pass ...
fastcgi_param SCRIPT_FILENAME /path/to/index.php;
fastcgi_param QUERY_STRING q=$1;
...
}
--
Igor Sysoev
More information about the nginx
mailing list