This is the expected behavior. I would guess that your configuration file contains a different location block for handling files with a ".php" extension. In this case nginx will only match one location. See http://wiki.nginx.org/NginxHttpCoreModule#location.

To avoid serving the index.php file as a text file you can try using nested location blocks. This is an undocumented feature and can have unpredictable results, but in this case I guess it will work OK.

Try something like:

[code]
location ~ /srv/www/users/me/(folder1|folder2)/.* {
auth_basic "Restricted";
auth_basic_user_file /srv/www/users/me/folder1/.htpasswd;
location ~\.php {
fastcgi_pass 127.0.0.1:9000; # substitute here with appropriate PHP backend address or proxy_pass statement and parameters.
...
}
}
[/code]

--
Jim Ohlstein