View Single Post
Old 16th March 2013, 22:11
mottwsc mottwsc is offline
Junior Member
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Spoke too soon... not working for php files

falko - I found that this solution worked perfectly with html files, but it seemed to not pay attention when trying a php file. In other words, I would get the authentication login/pw notice when I searched for an html file in the /secure directory, just as I should. However, when I put a php file - a simple one that displays phpinfo() - in the secure directory, it would show the output directly without the authentication notice. I did try this several times, opening a new browser and clearing everything (cache, cookies, history, etc.) to make sure I started fresh.

I searched on the web related to securing php and I ran across a couple of things I added in the config file for security or performance purposes (mainly having to do with try_files), as well as protection for the munin folder, so I am showing the updated nginx config.

Thanks for any suggestions...

server {
    listen       80;
    root  /var/www/html  #(root statement needs to be at the server block level and the rest of the individual statements commented out)

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        #root   /usr/share/nginx/html;  #(this was the default location)
        #root	  /var/www/html;  #(this was moved up to the server block level and the individual root statements were commented out)
        # this statement allows static content to be served first
            try_files $uri $uri/ /index.php

	 index index.php index.html index.htm;

    # protect the "secure" folder ( /var/www/html/secure )
    location  /secure/ {
    #location ^~ /secure/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;

    # updated munin folder to be protected ( /var/www/html/munin )
    location ^~ /munin/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/protected/.htpasswd;

    error_page  404              /404.html;
    location = /404.html {

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {

    # proxy the PHP scripts to Apache listening on
    #location ~ \.php$ {
    #    proxy_pass;

    # pass the PHP scripts to FastCGI server listening on
    location ~ \.php$ {
    #   root   /var/www/html;
        try_files $uri =404;
    # the above was inserted to block malicious code uploads, but nginx and
    # the php-fcgi workers must be on the same physical server

        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    location ~ /\.ht {
        deny  all;
Reply With Quote