GoAccess on Nginx authentication protection does not work

Dear ISPConfig staffs and Users,
My installation of ISPConfig 3.2.8p2 + Ubuntu 20.04 + Nginx 1.18 is successful.
I can also access the web statistics GoAccess of a site. However, Nginx does not provide any authentication protection for viewing GoAccess web statistics.

The problem is quite severe because there is already related codes in my host's Nginx configuration

Code:

        location /stats/ {
            index index.html index.php;
            auth_basic "Members Only";
            auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd_stats;
            add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";
        }

Moreover, if I enabled ISPConfig built-in folder protection mechanism, Nginx refused to run. It complained that there were 2 different credential files under the same directory:

Code:

auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd_stats;
auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd;

Please help me to debug it. I need web directory protections.

 

Okay now. I have found details of the whole story.

Nginx basic auth works as it is proved by ISPConfig built-in folder protection which I have tested on my site's wp-admin path.

So, ISPConfig Nginx web site statistics's authenticaion protection is faulty while its Apache implementation does work.

So please update the ISPConfig Nginx web site statistics's authenticaion protection.

May I get half-year free subscription for this bug report?

 

I also tested it on MS Edge browser. The result is:
when I visited .../stats/, the browser displayed the authentication alert. If I visited .../stats/index.php, the authentication alert disappeared and let me in and see the GoAccess panel.

That means ISPConfig's Nginx web stats protection is faulty. Please correct it as soon as possible.