The server is set up with Nginx -> Varnish -> Apache.
The following nginx vhost conf rule block is essentially causing .htaccess files to be ignored:
…
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
root /home/<userAccount>/<site.tld>;
expires max;
try_files $uri @backend;
}
error_page 405 = @backend;
error_page 500 = @custom;
add_header X-Cache "HIT from Backend";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
proxy_pass http://192.168.1.5:8181;
include proxy.inc;
}
…
To be specific, if a .htaccess file, containing a "Require all denied" rule is placed in any directory, users can still view or download any file type that is listed in that nginx rule.
Since that nginx rule applies to the root of the website, can I simply add a block of code to the nginx conf file that will 'exempt' specified directories from that rule so .htaccess files can be used to forbid access to those specific directories? If so, can you please provide a code sample and where it should be placed in the conf file. In other words, I want to keep that rule as the default for the website but exempt specific directories from it.
