Protect a specific php file

Francis Daly francis at
Fri Jan 13 18:29:34 UTC 2012

On Fri, Jan 13, 2012 at 06:13:28AM -0500, voidandany wrote:

Hi there,

> With :, password asked
> With :, no password asked, php file
> downloaded

Your configuration looks like it should not result in what you report.

When I use a very similar config with 1.1.11, I do not see what you
report, and I do see what you expect.

With the following config:

    server {
        listen       8000;
        include fastcgi.conf;

        location / {
            deny all;

        location /test/myapp {
            index index.php;
            location ^~ /test/myapp/index.php {
                auth_basic            "Section privee";
                auth_basic_user_file  $document_root/test/myapp/.htpasswd;
                fastcgi_pass  unix:php.sock;
            location ~ \.php$ {
                fastcgi_pass  unix:php.sock;


curl -i http://localhost:8000/test returns 403 (Forbidden)
curl -i http://localhost:8000/test/myapp returns 301 (Moved to /test/myapp/)
curl -i http://localhost:8000/test/myapp/ returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/ returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/index.php returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/index.php returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/other.php returns 200 (output of other.php)

The extra things I would point out are that you allow simple downloading
of all other content that begins with the location /test/myapp, which
includes /test/myapp2 (if that directory exists), and which also includes
/test/myapp/.htpasswd; and from the configuration shown, it's probably
more elegant to use "=" instead of "^~" in the nested location.

So, what's different between your test and mine?

Are there any other location{}s defined in your config? Did the browser
you were testing with have an empty cache, so that you saw the request
in access.log?

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list