Join Log in
Score:1
avatar Server

NGINX auth_basic exclude GET request to specific php script

cn flag
droplet

I can't seem to figure out how to exclude a specific location from auth_basic.

server {
        server_name example.com;

        root /var/www/html;

        index index.php;

        auth_basic "Nein nein nein";
        auth_basic_user_file .htpasswd;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

        # this script needs free access and takes query string parameters
        location /sub/script.php {
                auth_basic off;
        }

        # this works fine
        location /sub/a-javascript.js {
                auth_basic off;
        }
...

The location /sub/script.php needs free access. It would also be nice if it could only allow GET request to it. My problem seems to be the query parameters that come after it.

The script gets always requested with many query parameters script.php?param=something&other_param=somethingelse&etc=etc

239
1 + 6
Paul avatar
cn flag
Paul
I'm not clear why `location ~ /sub/script\.php$ { auth_basic off; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; limit_except GET { deny all; } }`, but I haven't used those before.
1
Reply
sv flag
Pothi Kalimuthu
Paul is right. Please know that using limit_except to allow GET also allows HEAD requests.
1
Reply
cn flag
droplet
@Paul still getting 401'd
0
Reply
Paul avatar
cn flag
Paul
Is there anything more in the logs? Does setting `error_log debug;` give anything more?
0
Reply
Paul avatar
cn flag
Paul
Oh, also try moving the `location ~ /sub/script\.php$...` block to be above the `location ~ \.php$...` block, if you haven't already.
0
Reply
cn flag
droplet
@Paul Yeah, it seems moving it above the php block did the trick. Thanks!
0
Reply
Score:1
Paul avatar Server
cn flag
Paul

You current configuration is matching requests for /sub/script\.php$ on the following location block:

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

Use the following configuration which places the /sub/script\.php$ location above the \.php$ location because nginx will stop evaluating at the first matched regex location.

server {
        server_name example.com;

        root /var/www/html;

        index index.php;

        auth_basic "Nein nein nein";
        auth_basic_user_file .htpasswd;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ /sub/script\.php$ {
                auth_basic off;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
                limit_except GET { deny all; } # Also allows HEAD
                }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

        # this works fine
        location /sub/a-javascript.js {
                auth_basic off;
        }
...
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.