HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   securing access to a folder - 404 error (http://www.howtoforge.com/forums/showthread.php?t=60899)

mottwsc 10th March 2013 21:17

securing access to a folder - 404 error
 
I'm trying to secure a directory on a CentOS 6.3 64 server running NGINX 1.2.7. I think I've set this up correctly, but it keeps giving me a 404 Not Found error when I try to access a file in that folder in the browser using domainName/secure/hello2.html.

I created an .htpasswd file using printf "MYUSER:$(openssl passwd -1 MYPASSWORD)\n" >> .htpasswd
and put that into the /var/www/protected/ folder.

I also modified the NGINX config file and included a location/auth block for the /secure/ folder:
Code:

# protect the "secure" folder ( /var/www/html/secure )
location ^~ /secure/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
}

If I comment out this block from the config file and restart NGINX, I can see the file in the browser with no problem. I even moved the .htpasswd file into the /secure/ folder and changed the config file to reflect that change (just to see what would happen), but I still get the 404 Not Found error.

Can anyone tell me what I'm missing?

falko 12th March 2013 18:38

Have you tried

Code:

location /secure/ {
...
}

?

mottwsc 13th March 2013 01:06

still doesn't work...
 
falko -

I tried your suggestion - same error. I also set up an .htpasswd file in the same /secure directory to make the case as simple as possible - same error.

I've also looked at the numerous examples on the web and I appear to be doing it the suggested way. Not sure what else to try, but it shouldn't be this difficult.

falko 15th March 2013 13:14

Can you post the whole vhost configuration?

mottwsc 15th March 2013 23:21

whole nginx config file
 
Here is the whole nginx config file:

Code:

server {
    listen      80;
    server_name  mm201.myserver.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root  /var/www/html;
        index  index.php  index.html index.htm;
    }

    # protect the "secure" folder  ( /var/www/html/secure )
    location /secure/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    #  auth_basic_user_file /var/www/html/secure/.htpasswd;
    }

    error_page  404              /404.html;
    location = /404.html {
        root  /var/www/html;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
        root  /var/www/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass  http://127.0.0.1;
    #}


    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root    /var/www/html;
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}


falko 16th March 2013 11:02

You have no document root defined in that location. But instead of specifying a document root for each location, you can specify an overall document root in the server {} container (and comment out the root lines in each location).

mottwsc 16th March 2013 15:20

Solved
 
falko - that was exactly what was needed to fix the problem. Thank you!

mottwsc 16th March 2013 22:11

Spoke too soon... not working for php files
 
falko - I found that this solution worked perfectly with html files, but it seemed to not pay attention when trying a php file. In other words, I would get the authentication login/pw notice when I searched for an html file in the /secure directory, just as I should. However, when I put a php file - a simple one that displays phpinfo() - in the secure directory, it would show the output directly without the authentication notice. I did try this several times, opening a new browser and clearing everything (cache, cookies, history, etc.) to make sure I started fresh.

I searched on the web related to securing php and I ran across a couple of things I added in the config file for security or performance purposes (mainly having to do with try_files), as well as protection for the munin folder, so I am showing the updated nginx config.

Thanks for any suggestions...

Code:

server {
    listen      80;
    server_name  mm201.myserver.com;
   
    root  /var/www/html  #(root statement needs to be at the server block level and the rest of the individual statements commented out)

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        #root  /usr/share/nginx/html;  #(this was the default location)
        #root          /var/www/html;  #(this was moved up to the server block level and the individual root statements were commented out)
        # this statement allows static content to be served first
            try_files $uri $uri/ /index.php

        index index.php index.html index.htm;
    }

    # protect the "secure" folder ( /var/www/html/secure )
    location  /secure/ {
    #location ^~ /secure/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    }

    # updated munin folder to be protected ( /var/www/html/munin )
    location ^~ /munin/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    }

    error_page  404              /404.html;
    location = /404.html {
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass  http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
    #  root  /var/www/html;
        try_files $uri =404;
    # the above was inserted to block malicious code uploads, but nginx and
    # the php-fcgi workers must be on the same physical server

        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}


falko 17th March 2013 12:17

It must be
Code:

root  /var/www/html;

mottwsc 17th March 2013 14:06

reposting config file
 
My mistake there on copying it from a doc (which had other comments) vs. the script. It does have a ; after that statement in the actual script. Just to be safe in communicating, though, I have copied it from the script on the server.

I thought a read somewhere that there had to be extra security statements within the php block, or maybe that the php block had to be within a larger block which had security statements - ever heard of this?

Thanks for any suggestions.

Code:

server {
    listen      80;
    server_name  mm201.myserver.com;

    root  /var/www/html;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
    #  root  /var/www/html;
    # this statement allows static content to be served first
        try_files $uri $uri/ /index.php

        index  index.php  index.html index.htm;
    }

    # protect the "secure" folder  ( /var/www/html/secure )
    location /secure/ {
    #  root  /var/www/html;
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    #  auth_basic_user_file /var/www/html/secure/.htpasswd;
    }

    # protect the "munin" folder  ( /var/www/html/munin ) and subfolders
    location ^~ /munin/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;
    }

    error_page  404              /404.html;
    location = /404.html {
    #  root  /var/www/html;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
    #  root  /var/www/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass  http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
    #  root    /var/www/html;
        try_files $uri =404;
    # the above was inserted to block malicious code uploads, but nginx and
    # the php-fcgi workers must be on the same physical server

        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}



All times are GMT +2. The time now is 02:58.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.