10th March 2013, 21:17
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
securing access to a folder - 404 error
I'm trying to secure a directory on a CentOS 6.3 64 server running NGINX 1.2.7. I think I've set this up correctly, but it keeps giving me a 404 Not Found error when I try to access a file in that folder in the browser using domainName/secure/hello2.html.
I created an .htpasswd file using printf "MYUSER:$(openssl passwd -1 MYPASSWORD)\n" >> .htpasswd
and put that into the /var/www/protected/ folder.
I also modified the NGINX config file and included a location/auth block for the /secure/ folder:
Code:
# protect the "secure" folder ( /var/www/html/secure )
location ^~ /secure/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
}
If I comment out this block from the config file and restart NGINX, I can see the file in the browser with no problem. I even moved the .htpasswd file into the /secure/ folder and changed the config file to reflect that change (just to see what would happen), but I still get the 404 Not Found error.
Can anyone tell me what I'm missing?
|
12th March 2013, 18:38
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,592 Times in 2,443 Posts
|
|
Have you tried
Code:
location /secure/ {
...
}
?
|
13th March 2013, 01:06
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
still doesn't work...
falko -
I tried your suggestion - same error. I also set up an .htpasswd file in the same /secure directory to make the case as simple as possible - same error.
I've also looked at the numerous examples on the web and I appear to be doing it the suggested way. Not sure what else to try, but it shouldn't be this difficult.
|
15th March 2013, 13:14
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,592 Times in 2,443 Posts
|
|
Can you post the whole vhost configuration?
|
15th March 2013, 23:21
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
whole nginx config file
Here is the whole nginx config file:
Code:
server {
listen 80;
server_name mm201.myserver.com;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /var/www/html;
index index.php index.html index.htm;
}
# protect the "secure" folder ( /var/www/html/secure )
location /secure/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
# auth_basic_user_file /var/www/html/secure/.htpasswd;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
|
16th March 2013, 11:02
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,592 Times in 2,443 Posts
|
|
You have no document root defined in that location. But instead of specifying a document root for each location, you can specify an overall document root in the server {} container (and comment out the root lines in each location).
|
16th March 2013, 15:20
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Solved
falko - that was exactly what was needed to fix the problem. Thank you!
|
16th March 2013, 22:11
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Spoke too soon... not working for php files
falko - I found that this solution worked perfectly with html files, but it seemed to not pay attention when trying a php file. In other words, I would get the authentication login/pw notice when I searched for an html file in the /secure directory, just as I should. However, when I put a php file - a simple one that displays phpinfo() - in the secure directory, it would show the output directly without the authentication notice. I did try this several times, opening a new browser and clearing everything (cache, cookies, history, etc.) to make sure I started fresh.
I searched on the web related to securing php and I ran across a couple of things I added in the config file for security or performance purposes (mainly having to do with try_files), as well as protection for the munin folder, so I am showing the updated nginx config.
Thanks for any suggestions...
Code:
server {
listen 80;
server_name mm201.myserver.com;
root /var/www/html #(root statement needs to be at the server block level and the rest of the individual statements commented out)
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
#root /usr/share/nginx/html; #(this was the default location)
#root /var/www/html; #(this was moved up to the server block level and the individual root statements were commented out)
# this statement allows static content to be served first
try_files $uri $uri/ /index.php
index index.php index.html index.htm;
}
# protect the "secure" folder ( /var/www/html/secure )
location /secure/ {
#location ^~ /secure/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
}
# updated munin folder to be protected ( /var/www/html/munin )
location ^~ /munin/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
}
error_page 404 /404.html;
location = /404.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
# root /var/www/html;
try_files $uri =404;
# the above was inserted to block malicious code uploads, but nginx and
# the php-fcgi workers must be on the same physical server
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
|
17th March 2013, 12:17
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,592 Times in 2,443 Posts
|
|
It must be
Code:
root /var/www/html;
|
17th March 2013, 14:06
|
|
Junior Member
|
|
Join Date: Feb 2013
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
reposting config file
My mistake there on copying it from a doc (which had other comments) vs. the script. It does have a ; after that statement in the actual script. Just to be safe in communicating, though, I have copied it from the script on the server.
I thought a read somewhere that there had to be extra security statements within the php block, or maybe that the php block had to be within a larger block which had security statements - ever heard of this?
Thanks for any suggestions.
Code:
server {
listen 80;
server_name mm201.myserver.com;
root /var/www/html;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
# root /var/www/html;
# this statement allows static content to be served first
try_files $uri $uri/ /index.php
index index.php index.html index.htm;
}
# protect the "secure" folder ( /var/www/html/secure )
location /secure/ {
# root /var/www/html;
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
# auth_basic_user_file /var/www/html/secure/.htpasswd;
}
# protect the "munin" folder ( /var/www/html/munin ) and subfolders
location ^~ /munin/ {
auth_basic "Restricted";
auth_basic_user_file /var/www/protected/.htpasswd;
}
error_page 404 /404.html;
location = /404.html {
# root /var/www/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
# root /var/www/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
# root /var/www/html;
try_files $uri =404;
# the above was inserted to block malicious code uploads, but nginx and
# the php-fcgi workers must be on the same physical server
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 15:01.
|
|
English | 
Deutsch
Recent comments
1 day 5 hours ago
1 day 14 hours ago
1 day 17 hours ago
1 day 18 hours ago
1 day 20 hours ago
1 day 21 hours ago
1 day 23 hours ago
2 days 37 min ago
2 days 16 hours ago
2 days 17 hours ago