Dear ISPConfig staffs and Users, My installation of ISPConfig 3.2.8p2 + Ubuntu 20.04 + Nginx 1.18 is successful. I can also access the web statistics GoAccess of a site. However, Nginx does not provide any authentication protection for viewing GoAccess web statistics. The problem is quite severe because there is already related codes in my host's Nginx configuration Code: location /stats/ { index index.html index.php; auth_basic "Members Only"; auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd_stats; add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;"; } Moreover, if I enabled ISPConfig built-in folder protection mechanism, Nginx refused to run. It complained that there were 2 different credential files under the same directory: Code: auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd_stats; auth_basic_user_file /var/www/clients/client1/web2/web//stats/.htpasswd; Please help me to debug it. I need web directory protections.
Okay now. I have found details of the whole story. Nginx basic auth works as it is proved by ISPConfig built-in folder protection which I have tested on my site's wp-admin path. So, ISPConfig Nginx web site statistics's authenticaion protection is faulty while its Apache implementation does work. So please update the ISPConfig Nginx web site statistics's authenticaion protection. May I get half-year free subscription for this bug report?
I also tested it on MS Edge browser. The result is: when I visited .../stats/, the browser displayed the authentication alert. If I visited .../stats/index.php, the authentication alert disappeared and let me in and see the GoAccess panel. That means ISPConfig's Nginx web stats protection is faulty. Please correct it as soon as possible.
Sure, but only after you paid my time to locate and fix and test the issue for you I use it here on several servers without any issues. But I'll have to set up some test systems today anyway and will check it again. Reasons that might cause it to fail on your system might be things like rewrite rules, changed web roots when stats folder is not within the web root anymore, us of proxies etc.