Hi I'm a nginx newbie, but I think I'm experiencing something seriously strange. I'm not sure I can reproduce the steps needed, but the thing is that I ended up nginx downloading protected php files from the site!
Step 1. make a normal site with say one php file
Step 2. make a auth_basic protected folder on it
Step 3. authenticate yourself in Google Chrome (maybe it works in others too)
Step 4. now modify the config such that a php file what wasn't protected before is protected now, reload
Step 5. now if you load the new php file in Chrome, instead of asking for the authenticate dialog, or parsing the file properly, it downloads it! I mean the pure PHP file with all it's code and plaintext content inside it!
I'm not sure that the above steps are the precise steps required to reproduce the bug, but I've repeatedly ended up downloading php files from the server. Closing Chrome and cleaning the cache fixed it.