Thanks, i found it just above. It looks like this:
location ~* \.php {
fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
}
I would like to keep existing behavior (no user/passwd needed) except when clients try to execute php in /private... directory. Something like this:
location ~* /private*\.php {
satisfy any;
allow 192.168.1.0/24;
deny all;
auth_basic "Protected";
auth_basic_user_file conf/htpasswd;
}
BTW this is on a Synology NAS, there are about a dosen different config files so I want to ensure I don't break existing apps.