Protect a specific php file
Francis Daly
francis at daoine.org
Fri Jan 13 18:29:34 UTC 2012
On Fri, Jan 13, 2012 at 06:13:28AM -0500, voidandany wrote:
Hi there,
> With : http://www.domain.fr/test/myapp/index.php, password asked
> With : http://www.domain.fr/test/myapp, no password asked, php file
> downloaded
Your configuration looks like it should not result in what you report.
When I use a very similar config with 1.1.11, I do not see what you
report, and I do see what you expect.
With the following config:
==
server {
listen 8000;
include fastcgi.conf;
location / {
deny all;
}
location /test/myapp {
index index.php;
location ^~ /test/myapp/index.php {
auth_basic "Section privee";
auth_basic_user_file $document_root/test/myapp/.htpasswd;
fastcgi_pass unix:php.sock;
}
location ~ \.php$ {
fastcgi_pass unix:php.sock;
}
}
}
==
curl -i http://localhost:8000/test returns 403 (Forbidden)
curl -i http://localhost:8000/test/myapp returns 301 (Moved to /test/myapp/)
curl -i http://localhost:8000/test/myapp/ returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/ returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/index.php returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/index.php returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/other.php returns 200 (output of other.php)
The extra things I would point out are that you allow simple downloading
of all other content that begins with the location /test/myapp, which
includes /test/myapp2 (if that directory exists), and which also includes
/test/myapp/.htpasswd; and from the configuration shown, it's probably
more elegant to use "=" instead of "^~" in the nested location.
So, what's different between your test and mine?
Are there any other location{}s defined in your config? Did the browser
you were testing with have an empty cache, so that you saw the request
in access.log?
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list