1

I can't seem to figure out how to exclude a specific location from auth_basic.

server {
        server_name example.com;

        root /var/www/html;

        index index.php;

        auth_basic "Nein nein nein";
        auth_basic_user_file .htpasswd;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

        # this script needs free access and takes query string parameters
        location /sub/script.php {
                auth_basic off;
        }

        # this works fine
        location /sub/a-javascript.js {
                auth_basic off;
        }
...

The location /sub/script.php needs free access. It would also be nice if it could only allow GET request to it. My problem seems to be the query parameters that come after it.

The script gets always requested with many query parameters script.php?param=something&other_param=somethingelse&etc=etc

droplet
  • 113
  • 4
  • 1
    I'm not clear why `location ~ /sub/script\.php$ { auth_basic off; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; limit_except GET { deny all; } }`, but I haven't used those before. – Paul Jul 08 '21 at 20:28
  • 1
    Paul is right. Please know that using limit_except to allow GET also allows HEAD requests. – Pothi Kalimuthu Jul 09 '21 at 05:22
  • @Paul still getting 401'd – droplet Jul 09 '21 at 12:32
  • Is there anything more in the logs? Does setting `error_log debug;` give anything more? – Paul Jul 09 '21 at 13:56
  • Oh, also try moving the `location ~ /sub/script\.php$...` block to be above the `location ~ \.php$...` block, if you haven't already. – Paul Jul 09 '21 at 14:06
  • @Paul Yeah, it seems moving it above the php block did the trick. Thanks! – droplet Jul 09 '21 at 15:43

1 Answers1

1

You current configuration is matching requests for /sub/script\.php$ on the following location block:

        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

Use the following configuration which places the /sub/script\.php$ location above the \.php$ location because nginx will stop evaluating at the first matched regex location.

server {
        server_name example.com;

        root /var/www/html;

        index index.php;

        auth_basic "Nein nein nein";
        auth_basic_user_file .htpasswd;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ /sub/script\.php$ {
                auth_basic off;
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
                limit_except GET { deny all; } # Also allows HEAD
                }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

        # this works fine
        location /sub/a-javascript.js {
                auth_basic off;
        }
...
Paul
  • 2,755
  • 6
  • 24
  • 35