After further testing, it's not the basic auth that's causing the problem... it's simply trying to access subdirectories from outside. Makes me thing I've messed something up in my nginx.conf:
worker_processes 1;
events {
worker_connections 64;
}
http {
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 5m;
## Timeouts
keepalive_timeout 300 300;
## General Options
charset utf-8;
default_type application/octet-stream;
ignore_invalid_headers on;
types {
text/html html;
image/gif gif;
image/jpeg jpg;
}
keepalive_requests 20;
max_ranges 0;
recursive_error_pages on;
sendfile on;
server_tokens off;
source_charset utf-8;
## Request limits
limit_req_zone $binary_remote_addr zone=fred:1m rate=60r/m;
## Compression
gzip on;
gzip_static on;
gzip_vary on;
## Log Format
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
## http .:. redirect to https
server {
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires 0;
limit_req zone=fred burst=200 nodelay;
listen 80;
root /var/empty;
rewrite ^ https://192.168.1.100$request_uri permanent;
}
## https .:. (www.)example.com
server {
add_header Cache-Control "public";
add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires max;
index index.html;
limit_req zone=fred burst=200 nodelay;
listen 443;
root /var/www/htdocs;
server_name 192.168.1.100;
## Basic auth on test
location / {
}
location ^~ /test/ {
index index.html;
auth_basic "Admin Login";
auth_basic_user_file .htpasswd;
}
#!!! IMPORTANT !!! We need to hide the password file from prying eyes
# This will deny access to any hidden file (beginning with a .period)
location ~ /\. { deny all; }
## SSL Certs
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /home/root/ssl/test.crt;
ssl_certificate_key /home/root/ssl/test.key;
ssl_ecdh_curve secp521r1;
## Stop Image and Document Hijacking
location ~* (\.jpg|\.gif|\.png|example\.css)$ {
if ($http_referer !~ ^(https://192.168.1.100) ) {
return 404;
}
}
## All other errors get the generic error page
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
location /example_error_page.html {
internal;
}
}
}
...again, it just hangs accessing subdirectories like "test", while everything works well from within the local network. The www root directory index.html serves up fine, even redirected to 443.
TIA,
Mike