It really depends on the situation.
Most of the time I've seen this issue arise is because the configuration file is improperly set up and the URI is being captured by another location block. In this case, it likely would be the "php" location block. The configuration file needs to be set up so that *all* files in the protected directory are captured by the location to be protected.
Something like:
[code]
location ^~ /protected-directory/ {
...
location ~ \.php$ {
... # fastcgi_pass or proxy_pass statements
}
}
location ~ \.php$ {
... # fastcgi_pass or proxy_pass statements
}
[/code]
In this case anything that matched the "^~" is processed in that location block, before any regular expressions are evaluated. The nested location, though not well documented, should function properly in this case. It's used so that any php scripts within the protected directory or any of it's subdirectories are processed properly.
See http://wiki.nginx.org/NginxHttpCoreModule#location for information on location blocks.
--
Jim Ohlstein