Disabling basic_auth with rewrites
Maxim Dounin
mdounin at mdounin.ru
Fri May 20 12:00:06 MSD 2011
Hello!
On Thu, May 19, 2011 at 11:16:56PM +0400, Igor Sysoev wrote:
> On Thu, May 19, 2011 at 10:10:59PM +0400, Maxim Dounin wrote:
> > Hello!
> >
> > On Thu, May 19, 2011 at 12:43:03PM -0400, klausi wrote:
> >
> > > Maxim Dounin Wrote:
> > > -------------------------------------------------------
> > > >
> > > > location / {
> > > > auth_basic "protected";
> > > > auth_basic_user_file
> > > > /etc/nginx/htpasswd/protected;
> > > > ...
> > > >
> > > > location ~ \.php$ {
> > > > fastcgi_pass ...
> > > > ...
> > > > }
> > > > }
> > > >
> > > > location /feeds/importer/ {
> > > > ...
> > > >
> > > > location ~ \.php$ {
> > > > fastcgi_pass ...
> > > > ...
> > > > }
> > > > }
> > >
> > > Thanks for the quick reply, nested locations are nice, but they do not
> > > help in this special case. A request to /feeds/importer/* has to be
> > > rewritten to /index.php?q=feeds/importer/* and that should not be
> > > protected. Is unprotecting a path with a special query possible at all?
> >
> > Ah, sorry, I missed you actually want /feeds/importer/... to be
> > fully handled by index.php. This makes configuration even
> > simplier:
> >
> > location / {
> > auth_basic ...
> > ...
> >
> > location ~ \.php$ {
> > fastcgi_pass ...
> > ...
> > }
> > }
> >
> > location /feeds/importer/ {
> > rewrite ^/(.*) /index.php?q=$1? break;
> >
> > fastcgi_pass ...
> > ...
> > }
> >
> > Note that the only goal of rewrite is to properly change url while
> > correctly escaping new arguments and stripping old ones (note
> > trailing '?'), as you probably don't want to allow unauthenticated
> > users to supply arbitrary arguments to your index.php. Due to
> > 'break' request doesn't leave the location in question after
> > rewrite and processed there.
>
> My suggestion is to not use rewrite at all:
>
> location /feeds/importer/ {
> location ~ ^/(.*) {
> fastcgi_pass ...
> fastcgi_param SCRIPT_FILENAME /path/to/index.php;
> fastcgi_param QUERY_STRING q=$1;
> ...
> }
There is a problem: you need urlescape() function then. Else
request like
/feeds/importer/&doevil=1
will naturally do evil, i.e. "doevil=1" will be seen by index.php
as a separate argument.
Maxim Dounin
More information about the nginx
mailing list