Disabling basic_auth with rewrites

Maxim Dounin mdounin at mdounin.ru
Fri May 20 12:00:06 MSD 2011 

Hello!

On Thu, May 19, 2011 at 11:16:56PM +0400, Igor Sysoev wrote:

> On Thu, May 19, 2011 at 10:10:59PM +0400, Maxim Dounin wrote:
> > Hello!
> > 
> > On Thu, May 19, 2011 at 12:43:03PM -0400, klausi wrote:
> > 
> > > Maxim Dounin Wrote:
> > > -------------------------------------------------------
> > > > 
> > > >     location / {
> > > >         auth_basic "protected";
> > > >         auth_basic_user_file
> > > > /etc/nginx/htpasswd/protected;
> > > >         ...
> > > > 
> > > >         location ~ \.php$ {
> > > >             fastcgi_pass ...
> > > >             ...
> > > >         }
> > > >     }
> > > > 
> > > >     location /feeds/importer/ {
> > > >         ...
> > > > 
> > > >         location ~ \.php$ {
> > > >             fastcgi_pass ...
> > > >             ...
> > > >         }
> > > >     }
> > > 
> > > Thanks for the quick reply, nested locations are nice, but they do not
> > > help in this special case. A request to /feeds/importer/* has to be
> > > rewritten to /index.php?q=feeds/importer/* and that should not be
> > > protected. Is unprotecting a path with a special query possible at all?
> > 
> > Ah, sorry, I missed you actually want /feeds/importer/... to be 
> > fully handled by index.php.  This makes configuration even 
> > simplier:
> > 
> >     location / {
> >         auth_basic ...
> >         ...
> > 
> >         location ~ \.php$ {
> >             fastcgi_pass ...
> >             ...
> >         }
> >     }
> > 
> >     location /feeds/importer/ {
> >         rewrite ^/(.*) /index.php?q=$1? break;
> > 
> >         fastcgi_pass ...
> >         ...
> >     }
> >  
> > Note that the only goal of rewrite is to properly change url while 
> > correctly escaping new arguments and stripping old ones (note 
> > trailing '?'), as you probably don't want to allow unauthenticated 
> > users to supply arbitrary arguments to your index.php.  Due to 
> > 'break' request doesn't leave the location in question after 
> > rewrite and processed there.
> 
> My suggestion is to not use rewrite at all:
> 
>      location /feeds/importer/ {
>          location ~ ^/(.*) {
>              fastcgi_pass    ...
>              fastcgi_param   SCRIPT_FILENAME  /path/to/index.php;
>              fastcgi_param   QUERY_STRING     q=$1;
>              ...
>          }

There is a problem: you need urlescape() function then.  Else 
request like

/feeds/importer/&doevil=1

will naturally do evil, i.e. "doevil=1" will be seen by index.php 
as a separate argument.

Maxim Dounin

More information about the nginx mailing list