I'm trying to secure a directory on a CentOS 6.3 64 server running NGINX 1.2.7. I think I've set this up correctly, but it keeps giving me a 404 Not Found error when I try to access a file in that folder in the browser using domainName/secure/hello2.html. I created an .htpasswd file using printf "MYUSER:$(openssl passwd -1 MYPASSWORD)\n" >> .htpasswd and put that into the /var/www/protected/ folder. I also modified the NGINX config file and included a location/auth block for the /secure/ folder: Code: # protect the "secure" folder ( /var/www/html/secure ) location ^~ /secure/ { auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; } If I comment out this block from the config file and restart NGINX, I can see the file in the browser with no problem. I even moved the .htpasswd file into the /secure/ folder and changed the config file to reflect that change (just to see what would happen), but I still get the 404 Not Found error. Can anyone tell me what I'm missing?
still doesn't work... falko - I tried your suggestion - same error. I also set up an .htpasswd file in the same /secure directory to make the case as simple as possible - same error. I've also looked at the numerous examples on the web and I appear to be doing it the suggested way. Not sure what else to try, but it shouldn't be this difficult.
whole nginx config file Here is the whole nginx config file: Code: server { listen 80; server_name mm201.myserver.com; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { root /var/www/html; index index.php index.html index.htm; } # protect the "secure" folder ( /var/www/html/secure ) location /secure/ { auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; # auth_basic_user_file /var/www/html/secure/.htpasswd; } error_page 404 /404.html; location = /404.html { root /var/www/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/www/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { root /var/www/html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }
You have no document root defined in that location. But instead of specifying a document root for each location, you can specify an overall document root in the server {} container (and comment out the root lines in each location).
Spoke too soon... not working for php files falko - I found that this solution worked perfectly with html files, but it seemed to not pay attention when trying a php file. In other words, I would get the authentication login/pw notice when I searched for an html file in the /secure directory, just as I should. However, when I put a php file - a simple one that displays phpinfo() - in the secure directory, it would show the output directly without the authentication notice. I did try this several times, opening a new browser and clearing everything (cache, cookies, history, etc.) to make sure I started fresh. I searched on the web related to securing php and I ran across a couple of things I added in the config file for security or performance purposes (mainly having to do with try_files), as well as protection for the munin folder, so I am showing the updated nginx config. Thanks for any suggestions... Code: server { listen 80; server_name mm201.myserver.com; root /var/www/html #(root statement needs to be at the server block level and the rest of the individual statements commented out) #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { #root /usr/share/nginx/html; #(this was the default location) #root /var/www/html; #(this was moved up to the server block level and the individual root statements were commented out) # this statement allows static content to be served first try_files $uri $uri/ /index.php index index.php index.html index.htm; } # protect the "secure" folder ( /var/www/html/secure ) location /secure/ { #location ^~ /secure/ { auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; } # updated munin folder to be protected ( /var/www/html/munin ) location ^~ /munin/ { auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; } error_page 404 /404.html; location = /404.html { } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { # root /var/www/html; try_files $uri =404; # the above was inserted to block malicious code uploads, but nginx and # the php-fcgi workers must be on the same physical server fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } }
reposting config file My mistake there on copying it from a doc (which had other comments) vs. the script. It does have a ; after that statement in the actual script. Just to be safe in communicating, though, I have copied it from the script on the server. I thought a read somewhere that there had to be extra security statements within the php block, or maybe that the php block had to be within a larger block which had security statements - ever heard of this? Thanks for any suggestions. Code: server { listen 80; server_name mm201.myserver.com; root /var/www/html; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { # root /var/www/html; # this statement allows static content to be served first try_files $uri $uri/ /index.php index index.php index.html index.htm; } # protect the "secure" folder ( /var/www/html/secure ) location /secure/ { # root /var/www/html; auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; # auth_basic_user_file /var/www/html/secure/.htpasswd; } # protect the "munin" folder ( /var/www/html/munin ) and subfolders location ^~ /munin/ { auth_basic "Restricted"; auth_basic_user_file /var/www/protected/.htpasswd; } error_page 404 /404.html; location = /404.html { # root /var/www/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { # root /var/www/html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { # root /var/www/html; try_files $uri =404; # the above was inserted to block malicious code uploads, but nginx and # the php-fcgi workers must be on the same physical server fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } }
