Nginx – Apply basic auth only if an htaccess file exists

conditionalhttp-basic-authenticationnginx

How can I apply basic auth only if an htaccess file exists?

If first tried to put the auth_basic directives in an if block, but
that is not allowed.

Then, I tried redirecting to a named location, but while the location with
basic auth works fine, the redirection (which happens when there is no
htaccess file) is erroring out.

Here's what that config looks like:

server {
    listen 80;
    server_name ~^(?<instance>.+?)\.foo.example.com$;

    set $htaccess_user_file /var/htaccess/$instance.foo.example.com.htaccess;

    if (!-f $htaccess_user_file) {
        rewrite ^ @foo;
    }

    location / {
        auth_basic "Restricted";
        auth_basic_user_file $htaccess_user_file;

        root /var/www/$instance.foo.example.com;
        try_files $uri /index.html =404;
    }

    location @foo {
        root /var/www/$instance.foo.example.com;
        try_files $uri /index.html =404;
    }
}

And here's the error message I'm getting when there's no htaccess file:

2013/07/12 08:37:08 [error] 32082#0:
*192 open() "/usr/html@foo" failed (2: No such file or directory),
client: 1.2.3.4, server: ~^(?<instance>.+?)\.foo.example.com$,
request: "GET / HTTP/1.1", host: "bar.foo.example.com"

I have a feeling it has to do with some variables getting overwritten by the named
location, but I'm not sure.

Finally, I tried using alias in the named location, that way the @foo wouldn't be part
of the search dir, but alias are not allowed in named locations…. fuuuu

Best Answer

This is what MTecknology and kolbyjack advised me to do on #nginx.

server {
    listen 80;
    server_name ~^(?<instance>.+?)\.foo.example.com$;
    root /var/www/$instance.foo.example.com;

    set $htaccess_user_file /var/htaccess/$instance.foo.example.com/.htaccess;

    if (!-f $htaccess_user_file) {
        return 599;
    }

    location / {
        auth_basic "Restricted";
        auth_basic_user_file $htaccess_user_file;

        try_files $uri /index.html =404;
    }

    error_page 599 = @foo;

    location @foo {
        root /var/www/$instance.foo.example.com;
        try_files $uri /index.html =404;
    }
}

Worked flawlessly!

Related Solutions

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Please don't post multiple questions in one.

The first step, when you don't know how something works, is to search for the documentation. In the case of nginx, directives are exhaustively explained through the official documentation directive index.

It depends on the location block nature. Prefixed location blocks order is not important, but regex location blocks order is, since the first one matching the request URI will be picked.
Configuration directives order does not matter except for few cases like if blocks. Gzip directives are not part of these.
In fact ssl on is the old way to do it and the listen directive parameter ssl is the new one. The usage of ssl on forces the server block to accept HTTPS only while the usage of the listen directive parameter allows to handle both HTTP and HTTPs in the same server block.
Actually you explicitely asked nginx to do this. Another way to have the same result is using return 301 https://domain.com$request_uri. The rewrite patten ^(.*) matches all URIs and capture them. Then it rewrites them permanently (301 redirect) to https://domain.com<uri>. Refer to the documentation to understand how the rewrite directive works if you are confused.
Opinion-based questions do not fit SF standards.

Nginx PHP files downloading instead of executing

Had the same issue!

Found the answer here, http://www.ceus-now.com/nginx-password-protect-directory-downloads-source-code/

Because we are adding ^~ we are leaving behind some other settings (not sure why we need to add this but it was the only way to get it to actually pull up the authentication :( )

include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;

I tried various combinations to see what was/not needed and each line is needed. I wish I understood these things better.

UPDATE: July 27th 2016:

So I did some reading and finally understand why we have this issue.

In short when we install FastCGI and php-fpm it creates a directive in the nginx server files (which file depends on your server install).

So in mine I have the following...

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
    #
    #       # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;

As you will notice these directives are in location / and not in the global settings. Since we want to secure a particular folder these directives are not inherited. Therefore, we need to declare it again.

If we wanted to follow the DRY ("Don't Repeat Yourself") principle, then we would declare the PHP-fpm and FastCGI in the global settings. We can do this by moving it to below (example, but it just needs to be outside of location directive). Here is an example.

root /var/www/html;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;

Hope this helps. I realized the above by reading https://www.digitalocean.com/community/tutorials/understanding-and-implementing-fastcgi-proxying-in-nginx

Disclaimer: I am no pro so if you see mistakes be nice and just let me know and I will hopefully update.

Best Answer

Related Solutions

NginX + WordPress + SSL + non-www + W3TC vhost config file questions

Nginx PHP files downloading instead of executing

Related Topic