Welcome! Log In Create A New Profile

Advanced

Re: Protect a specific php file

Francis Daly
January 13, 2012 01:30PM
On Fri, Jan 13, 2012 at 06:13:28AM -0500, voidandany wrote:

Hi there,

> With : http://www.domain.fr/test/myapp/index.php, password asked
> With : http://www.domain.fr/test/myapp, no password asked, php file
> downloaded

Your configuration looks like it should not result in what you report.

When I use a very similar config with 1.1.11, I do not see what you
report, and I do see what you expect.

With the following config:

==
server {
listen 8000;
include fastcgi.conf;

location / {
deny all;
}

location /test/myapp {
index index.php;
location ^~ /test/myapp/index.php {
auth_basic "Section privee";
auth_basic_user_file $document_root/test/myapp/.htpasswd;
fastcgi_pass unix:php.sock;
}
location ~ \.php$ {
fastcgi_pass unix:php.sock;
}
}
}

==

curl -i http://localhost:8000/test returns 403 (Forbidden)
curl -i http://localhost:8000/test/myapp returns 301 (Moved to /test/myapp/)
curl -i http://localhost:8000/test/myapp/ returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/ returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/index.php returns 401 (Unauthorized)
curl -i -u x:x http://localhost:8000/test/myapp/index.php returns 200 (output of index.php)
curl -i http://localhost:8000/test/myapp/other.php returns 200 (output of other.php)

The extra things I would point out are that you allow simple downloading
of all other content that begins with the location /test/myapp, which
includes /test/myapp2 (if that directory exists), and which also includes
/test/myapp/.htpasswd; and from the configuration shown, it's probably
more elegant to use "=" instead of "^~" in the nested location.

So, what's different between your test and mine?

Are there any other location{}s defined in your config? Did the browser
you were testing with have an empty cache, so that you saw the request
in access.log?

Good luck with it,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Protect a specific php file

voidandany January 12, 2012 11:21AM

Re: Protect a specific php file

António P. P. Almeida January 12, 2012 11:54AM

Re: Protect a specific php file

voidandany January 13, 2012 03:57AM

Re: Protect a specific php file

voidandany January 13, 2012 06:13AM

Re: Protect a specific php file

Francis Daly January 13, 2012 01:30PM

Re: Protect a specific php file

voidandany January 13, 2012 04:52PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 71
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready