securing access to a folder - 404 error

Discussion in 'Installation/Configuration' started by mottwsc, Mar 10, 2013.

  1. mottwsc

    mottwsc New Member

    I'm trying to secure a directory on a CentOS 6.3 64 server running NGINX 1.2.7. I think I've set this up correctly, but it keeps giving me a 404 Not Found error when I try to access a file in that folder in the browser using domainName/secure/hello2.html.

    I created an .htpasswd file using printf "MYUSER:$(openssl passwd -1 MYPASSWORD)\n" >> .htpasswd
    and put that into the /var/www/protected/ folder.

    I also modified the NGINX config file and included a location/auth block for the /secure/ folder:
    Code:
    # protect the "secure" folder ( /var/www/html/secure )
    location ^~ /secure/ {
    auth_basic "Restricted";
    auth_basic_user_file /var/www/protected/.htpasswd;
    }
    
    If I comment out this block from the config file and restart NGINX, I can see the file in the browser with no problem. I even moved the .htpasswd file into the /secure/ folder and changed the config file to reflect that change (just to see what would happen), but I still get the 404 Not Found error.

    Can anyone tell me what I'm missing?
     
  2. falko

    falko Super Moderator

    Have you tried

    Code:
    location /secure/ {
    ...
    }
    ?
     
  3. mottwsc

    mottwsc New Member

    still doesn't work...

    falko -

    I tried your suggestion - same error. I also set up an .htpasswd file in the same /secure directory to make the case as simple as possible - same error.

    I've also looked at the numerous examples on the web and I appear to be doing it the suggested way. Not sure what else to try, but it shouldn't be this difficult.
     
  4. falko

    falko Super Moderator

    Can you post the whole vhost configuration?
     
  5. mottwsc

    mottwsc New Member

    whole nginx config file

    Here is the whole nginx config file:

    Code:
    server {
        listen       80;
        server_name  mm201.myserver.com;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/log/host.access.log  main;
    
        location / {
            root   /var/www/html;
            index  index.php  index.html index.htm;
        }
    
        # protect the "secure" folder  ( /var/www/html/secure )
        location /secure/ {
            auth_basic "Restricted";
            auth_basic_user_file /var/www/protected/.htpasswd;
        #   auth_basic_user_file /var/www/html/secure/.htpasswd;
        }
    
        error_page  404              /404.html;
        location = /404.html {
            root   /var/www/html;
        }
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /var/www/html;
        }
    
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    
    
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root    /var/www/html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
    
     
  6. falko

    falko Super Moderator

    You have no document root defined in that location. But instead of specifying a document root for each location, you can specify an overall document root in the server {} container (and comment out the root lines in each location).
     
  7. mottwsc

    mottwsc New Member

    Solved

    falko - that was exactly what was needed to fix the problem. Thank you!
     
  8. mottwsc

    mottwsc New Member

    Spoke too soon... not working for php files

    falko - I found that this solution worked perfectly with html files, but it seemed to not pay attention when trying a php file. In other words, I would get the authentication login/pw notice when I searched for an html file in the /secure directory, just as I should. However, when I put a php file - a simple one that displays phpinfo() - in the secure directory, it would show the output directly without the authentication notice. I did try this several times, opening a new browser and clearing everything (cache, cookies, history, etc.) to make sure I started fresh.

    I searched on the web related to securing php and I ran across a couple of things I added in the config file for security or performance purposes (mainly having to do with try_files), as well as protection for the munin folder, so I am showing the updated nginx config.

    Thanks for any suggestions...

    Code:
    server {
        listen       80;
        server_name  mm201.myserver.com;
        
        root  /var/www/html  #(root statement needs to be at the server block level and the rest of the individual statements commented out)
    
        #charset koi8-r;
        #access_log  /var/log/nginx/log/host.access.log  main;
    
        location / {
            #root   /usr/share/nginx/html;  #(this was the default location)
            #root	  /var/www/html;  #(this was moved up to the server block level and the individual root statements were commented out)
            # this statement allows static content to be served first
                try_files $uri $uri/ /index.php
    
    	 index index.php index.html index.htm;
        }
    
        # protect the "secure" folder ( /var/www/html/secure )
        location  /secure/ {
        #location ^~ /secure/ {
            auth_basic "Restricted";
            auth_basic_user_file /var/www/protected/.htpasswd;
        }
    
        # updated munin folder to be protected ( /var/www/html/munin )
        location ^~ /munin/ {
            auth_basic "Restricted";
            auth_basic_user_file /var/www/protected/.htpasswd;
        }
    
        error_page  404              /404.html;
        location = /404.html {
        } 
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
    
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
        #   root   /var/www/html;
            try_files $uri =404;
        # the above was inserted to block malicious code uploads, but nginx and
        # the php-fcgi workers must be on the same physical server
    
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
            deny  all;
        }
    }
    
     
  9. falko

    falko Super Moderator

    It must be
    Code:
    root  /var/www/html[B][COLOR="Red"];[/COLOR][/B]
     
  10. mottwsc

    mottwsc New Member

    reposting config file

    My mistake there on copying it from a doc (which had other comments) vs. the script. It does have a ; after that statement in the actual script. Just to be safe in communicating, though, I have copied it from the script on the server.

    I thought a read somewhere that there had to be extra security statements within the php block, or maybe that the php block had to be within a larger block which had security statements - ever heard of this?

    Thanks for any suggestions.

    Code:
    server {
        listen       80;
        server_name  mm201.myserver.com;
    
        root  /var/www/html;
    
        #charset koi8-r;
        #access_log  /var/log/nginx/log/host.access.log  main;
    
        location / {
        #   root   /var/www/html;
        # this statement allows static content to be served first
            try_files $uri $uri/ /index.php
    
            index  index.php  index.html index.htm;
        }
    
        # protect the "secure" folder  ( /var/www/html/secure )
        location /secure/ {
        #   root  /var/www/html;
            auth_basic "Restricted";
            auth_basic_user_file /var/www/protected/.htpasswd;
        #   auth_basic_user_file /var/www/html/secure/.htpasswd;
        }
    
        # protect the "munin" folder  ( /var/www/html/munin ) and subfolders
        location ^~ /munin/ {
            auth_basic "Restricted";
            auth_basic_user_file /var/www/protected/.htpasswd;
        }
    
        error_page  404              /404.html;
        location = /404.html {
        #   root   /var/www/html;
        }
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        #   root   /var/www/html;
        }
    
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
    
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
        #   root    /var/www/html;
            try_files $uri =404;
        # the above was inserted to block malicious code uploads, but nginx and
        # the php-fcgi workers must be on the same physical server
    
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
            deny  all;
        }
    }
    
     
  11. falko

    falko Super Moderator

    You are fine with the

    Code:
    try_files $uri =404;
    line in the PHP location.
     

Share This Page