Nginx Disable Basic Auth - Laravel Forge

Dean Whitehouse

5/18/23, 9:13 AM

On a Laravel Forge Nginx Server I've enabled basic auth security at a root level for my site, this is working fine.

However I'm now trying to exclude a webhooks path from basic auth to allow the site to function properly with third parties.

No matter what I try this it not seem to work, it works fine if the folder/file exists in the filesystem but not for pretty URLs set-up as routes in Laravel.

This is an extract of my nginx configuration file:

auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/forge-conf/mywebsite/server/.htpasswd;

location = /hooks/stripe {  
    auth_basic "off";
    allow all;
}

location / {
    try_files $uri $uri/ /index.php?$query_string;
}

The above works fine if I change /hooks/stripe to a physical file such as my CSS or favicon. Additionally inverting it works without issue, where I can lock just that route with a password.

I've tried using variations of the location block, some with = and some without. Additionally I've tried auth_basic off; and removing allow all;. Finally i've tried changing the location using different modifiers and making it less specific and placing it before and after the / root location try_files.

Any help would be massively appreciated as I'm now completely stuck

191

0 + 0

nginx

http-basic-authentication

AlexD

5/18/23, 9:36 AM

Does this answer your question? [Enable basic auth sitewide and disabling it for subpages?](https://serverfault.com/questions/330580/enable-basic-auth-sitewide-and-disabling-it-for-subpages)

Dean Whitehouse

5/18/23, 10:21 AM

The answer doesn't itself but the example they use does show another approach of moving the auth requirements into the location block. This doesn't match the documentation as a requirement but is working... https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/#configuring-nginx-and-nginx-plus-for-http-basic-authentication Thanks!

Score:0

Server

Dean Whitehouse

5/18/23, 10:19 AM

Thanks to @AlexD suggestion in the comments the below works, however you have to move the forge import which may have unintended impacts.

If you try to access a URL that doesn't exist, /hooks/lost you still get the basic auth request which I'm unsure why but for now this solves the immediate problem.

# FORGE CONFIG (DO NOT REMOVE!)
#include forge-conf/mywebsite/server/*;

location / {
    try_files $uri $uri/ /index.php?$query_string;
    include forge-conf/mywebsite/server/*;
}

location /hooks {  
    auth_basic off;
}

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx Disable Basic Auth - Laravel Forge

TH: Nginx ปิดใช้งานการตรวจสอบสิทธิ์พื้นฐาน - Laravel Forge

RO: Nginx Dezactivați autentificarea de bază - Laravel Forge

RU: Nginx отключить базовую аутентификацию - Laravel Forge

VI: Nginx Vô hiệu hóa xác thực cơ bản - Laravel Forge

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.