Protect a specific php file

Francis Daly francis at daoine.org
Fri Jan 13 18:29:34 UTC 2012


On Fri, Jan 13, 2012 at 06:13:28AM -0500, voidandany wrote:

Hi there,

> With : http://www.domain.fr/test/myapp/index.php, password asked
> With : http://www.domain.fr/test/myapp, no password asked, php file
> downloaded

Your configuration looks like it should not result in what you report.

When I use a very similar config with 1.1.11, I do not see what you
report, and I do see what you expect.

With the following config:

==
    server {
        listen       8000;
        include fastcgi.conf;

        location / {
            deny all;
        }

        location /test/myapp {
            index index.php;
            location ^~ /test/myapp/index.php {
                auth_basic            "Section privee";
                auth_basic_user_file  $document_root/test/myapp/.htpasswd;
                fastcgi_pass  unix:php.sock;
            }
            location ~ \.php$ {
                fastcgi_pass  unix:php.sock;
            }
        }
    }

==

curl -i http://localhost:8000/test returns 403 (Forbidden)
curl -i http://localhost:8000/test/myapp returns 301 (Moved to /test/myapp/)
curl -i http://localhost:8000/test/myapp/ returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/ returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/index.php returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/index.php returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/other.php returns 200 (output of other.php)

The extra things I would point out are that you allow simple downloading
of all other content that begins with the location /test/myapp, which
includes /test/myapp2 (if that directory exists), and which also includes
/test/myapp/.htpasswd; and from the configuration shown, it's probably
more elegant to use "=" instead of "^~" in the nested location.

So, what's different between your test and mine?

Are there any other location{}s defined in your config? Did the browser
you were testing with have an empty cache, so that you saw the request
in access.log?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list