Welcome! Log In Create A New Profile

Advanced

Re: Disabling basic_auth with rewrites

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 20, 2011 04:02AM
Hello!

On Thu, May 19, 2011 at 11:16:56PM +0400, Igor Sysoev wrote:

> On Thu, May 19, 2011 at 10:10:59PM +0400, Maxim Dounin wrote:
> > Hello!
> >
> > On Thu, May 19, 2011 at 12:43:03PM -0400, klausi wrote:
> >
> > > Maxim Dounin Wrote:
> > > -------------------------------------------------------
> > > >
> > > > location / {
> > > > auth_basic "protected";
> > > > auth_basic_user_file
> > > > /etc/nginx/htpasswd/protected;
> > > > ...
> > > >
> > > > location ~ \.php$ {
> > > > fastcgi_pass ...
> > > > ...
> > > > }
> > > > }
> > > >
> > > > location /feeds/importer/ {
> > > > ...
> > > >
> > > > location ~ \.php$ {
> > > > fastcgi_pass ...
> > > > ...
> > > > }
> > > > }
> > >
> > > Thanks for the quick reply, nested locations are nice, but they do not
> > > help in this special case. A request to /feeds/importer/* has to be
> > > rewritten to /index.php?q=feeds/importer/* and that should not be
> > > protected. Is unprotecting a path with a special query possible at all?
> >
> > Ah, sorry, I missed you actually want /feeds/importer/... to be
> > fully handled by index.php. This makes configuration even
> > simplier:
> >
> > location / {
> > auth_basic ...
> > ...
> >
> > location ~ \.php$ {
> > fastcgi_pass ...
> > ...
> > }
> > }
> >
> > location /feeds/importer/ {
> > rewrite ^/(.*) /index.php?q=$1? break;
> >
> > fastcgi_pass ...
> > ...
> > }
> >
> > Note that the only goal of rewrite is to properly change url while
> > correctly escaping new arguments and stripping old ones (note
> > trailing '?'), as you probably don't want to allow unauthenticated
> > users to supply arbitrary arguments to your index.php. Due to
> > 'break' request doesn't leave the location in question after
> > rewrite and processed there.
>
> My suggestion is to not use rewrite at all:
>
> location /feeds/importer/ {
> location ~ ^/(.*) {
> fastcgi_pass ...
> fastcgi_param SCRIPT_FILENAME /path/to/index.php;
> fastcgi_param QUERY_STRING q=$1;
> ...
> }

There is a problem: you need urlescape() function then. Else
request like

/feeds/importer/&doevil=1

will naturally do evil, i.e. "doevil=1" will be seen by index.php
as a separate argument.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Disabling basic_auth with rewrites

klausi May 19, 2011 09:59AM

Re: Disabling basic_auth with rewrites

Maxim Dounin May 19, 2011 10:10AM

Re: Disabling basic_auth with rewrites

klausi May 19, 2011 12:43PM

Re: Disabling basic_auth with rewrites

Maxim Dounin May 19, 2011 02:12PM

Re: Disabling basic_auth with rewrites

Igor Sysoev May 19, 2011 03:18PM

Re: Disabling basic_auth with rewrites

Maxim Dounin May 20, 2011 04:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 249
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready