I want to secure the whole /setup location using basic auth. However I'm running into the following two problems:
- When using location /setup only localhost/setup prompts for credentials. Using localhost/setup/mypage.php bypasses the prompt fully or you can just click cancel when prompted and still see the page.
- location ^~ /setup secures all files in the /setup directory but A) this causes all php files to be served as a downloaded file and B) it causes 403 errors on all files loaded by my html. I "fixed" A) by adding the php snippets but I don't know how to solve B).
Goal: Secure the /setup location (and all files in it) with basic auth. Once a user logged in, all content loaded by the php/html (js, images etc) should be allowed to load as well.
Config
server {
listen 80;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name localhost;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_read_timeout 60;
}
location ^~ /setup {
deny all;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name localhost;
location ^~ /setup {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_read_timeout 60;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
fastcgi_read_timeout 60;
}
# location ^~ / {
# return 301 http://$http_host;
# #deny all;
# }
}
