Basic Authentication and PHP files

Maxim Dounin mdounin at mdounin.ru
Tue Feb 15 19:48:48 MSK 2011 

Hello!

On Tue, Feb 15, 2011 at 10:26:29AM -0500, Ellimist wrote:

> I have a configuration block like this :
> 
> [code]
> 	location /members/ {
> 		index  main.php;
> 	}
> 
> 	location ~ ^/members/(?:text1|text2|text3)/(?!noinclude)[^\/]+/ {
> 		auth_basic            "Restricted Area";
> 		auth_basic_user_file  /home/password/.htpasswd;
> 		rewrite ^\/(members\/[^\/]+\/[^\/]+)\/$ /gallery.php?path=$1&page=1
> last;
> 		rewrite ^\/(members\/[^\/]+\/[^\/]+)\/page([0-9]+)\.php$
> /gallery.php?path=$1&page=$2 last;
> 	}
> 
>         location ~ \.php$ {
>                 fastcgi_pass   127.0.0.1:9000;
>                 fastcgi_index  index.php;
>                 fastcgi_param  SCRIPT_FILENAME 
> $document_root$fastcgi_script_n$
>                 include fastcgi_params;
>         }
> 
> [/code]
> 
> The problem is that whenever I go to
> http://mydomain.com/members/text1/anything/ or
> http://mydomain.com/members/text1/anything/pageX.php, it correctly
> displays the redirected page from gallery.php correctly, but it requires
> no authentication. The images and other elements embedded on the page
> from within the directory requires authentication, however.

Rewrite are executed before authentication, so you have to switch 
on authentication in location where request is actually processed 
(that is, rewritten one).

Additionally, /gallery.php is anyway unprotected with your config, 
so it's possible to request anything without authentication by 
constructing appropriate url.

To resolve both issues it would be enough to add location for 
gallery.php with auth_basic, i.e.

    location = /gallery.php {
        auth_basic ...
        fastcgi_pass ...
        ...
    }

Though you may want to rewrite your config to avoid rewrites 
altogether to something like

    location /members/ {
        auth_basic ...

        location ~ ^/(?<path>members/[^/]+/[^/]+)/$ {
            fastcgi_pass ...
            fastcgi_param  SCRIPT_FILENAME  $document_root/gallery.php;
            fastcgi_param  QUERY_STRING     path=$path&page=1;
            ...
        }

        location ~ ^/(?<path>members/[^/]+/[^/]+)/page(?<page>[0-9]+)\.php$ {
            fastcgi_pass ...
            fastcgi_param  SCRIPT_FILENAME  $document_root/gallery.php;
            fastcgi_param  QUERY_STRING     path=$path&page=$page;
            ...
        }
    }

This aproach is believed to be much more maintainable than using 
rewrites.

Maxim Dounin

More information about the nginx mailing list