NGINX - Why can I bypass password authentication?

Question

I have a NGINX server and I use Apache-utility's for password requirement (.htpasswd). It MOSTLY works fine. The following this work fine:

example.com/admin
example.com/admin/
example.com/admin/index

but... When I type example.com/admin/index.php and don't type any password at all and press "abort" the server show's the index.php (without any CSS or JS files). I think my PHP-FPM is the problem. Please take a look:

location / {
    try_files $uri $uri.html $uri/ @extensionless-php;
    index index.html index.htm index.php;
}

location @extensionless-php {
    rewrite ^(.*)$ $1.php last;
}

location /admin {
    auth_basic "Restricted";
    auth_basic_user_file /admin/.htpasswd;
}

location ~ \.php$ {
    fastcgi_pass            127.0.0.1:9000;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$
}

See [this](http://nginx.org/en/docs/http/request_processing.html), but basically your authentication applies to `location /admin` and the `.php` files are processed by `location ~ \.php$`. — Richard Smith, Jun 01 '16 at 15:23

score 1 · Answer 1 · answered Jun 02 '16 at 08:39

1

Just looking at the last two locations in your question:

location ^~ /admin {
    auth_basic "Restricted";
    auth_basic_user_file /admin/.htpasswd;

    location ~ \.php$ {
        fastcgi_pass  127.0.0.1:9000;
        include       fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

location ~ \.php$ {
    fastcgi_pass  127.0.0.1:9000;
    include       fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Adding the ^~ modifier makes the location ^~ /admin block take precedence over the other regex blocks (specifically the existing location ~ \.php$ block). So the authentication rules are uniformly applied to any URI beginning with /admin. See this document for details.

To avoid breaking PHP, the location ~ \.php$ block is duplicated within the location ^~ /admin block to process URIs that begin with /admin and end with .php.

answered Jun 02 '16 at 08:39

Richard Smith

45,711
6
82
81

Nice. The the bug is now fixed. But now he always says 403 Forbidden. I checked the dir permissions, but there all right. – Time to Travel Jun 02 '16 at 09:09
403 may be caused when the URI is a bare directory (like `/admin` or `/admin/`) and no `index` or `try_files` rule exists to resolve it. You might want to look at adding an `index` or `try_files` into the `location ^~ /admin` block to get the desired behaviour. – Richard Smith Jun 02 '16 at 09:16
I tried but still 403. Even when I point the URI at the file. Do you have an Idea why? – Time to Travel Jun 02 '16 at 09:28
Did `auth_basic` work before? This is probably an unrelated problem. By the way, `auth_basic_user_file` takes a pathname and not a URI. `/admin/.htpasswd` looks suspiciously like a URI. – Richard Smith Jun 02 '16 at 09:50
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/113609/discussion-between-manuel-becker-and-richard-smith). – Time to Travel Jun 02 '16 at 09:52

NGINX - Why can I bypass password authentication?

1 Answers1