3

I have a Magento module that asks for $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables.

In its documentation, the following setup for apache is proposed:

SetEnvIfNoCase Authorization "Basic ([a-z0-9=]+)" REMOTE_AUTHORIZATION=$

But I'm using nginx. What can I add in my .conf file to support these variables?

dawud
  • 14,918
  • 3
  • 41
  • 61
Ricardo Martins
  • 131
  • 1
  • 1
  • 5
  • Thanks! I came here trying to get this to work in apache, and your SetEnvIfNoCase helped me immensely, even if it didn't answer your own question. – braindigitalis Jul 20 '18 at 11:03

1 Answers1

5

That should do the trick:

fastcgi_param PHP_AUTH_USER $remote_user;
fastcgi_param PHP_AUTH_PW $http_authorization;

Edit: Please read the comments on my answer. This will only allow you to access the variables if the user has authenticated against nginx and not against PHP. It's not possible to access PHP variables within nginx, simply because nginx is before PHP and only communicates via the FastCGI protocol with PHP. This is different if you're using Apache httpd with modphp.

Fleshgrinder
  • 3,638
  • 2
  • 16
  • 19
  • The variable $remote_user seems just to be filled, if the user has been logged in using the http://wiki.nginx.org/HttpAuthBasicModule module. The two variables in PHP are filled by default if I provide username and password as part of the HTTP header, but not if I pass them as part of the URL. – SimonSimCity Jan 15 '14 at 09:52
  • Login details as part of the URL (query string) is absolutely insecure, don't do it, don't try to implement it! – Fleshgrinder Jan 15 '14 at 22:01
  • why not? All negative reasons I heard were about logging and tracking. But (actually) the browser is responsible for changing it to an HTTP header and sending it out. More on that here: http://stackoverflow.com/questions/21135104/why-do-browsers-not-send-the-authentication-header-when-the-credentials-are-prov/21149644#21149644 – SimonSimCity Jan 16 '14 at 08:20
  • The problem with credentials in a query string is that the browser cannot identify them and no other software is. One can easily create URLs with automatic login and execute some action simply by giving you the URL. If you use the correct syntax (`http://username:password@example.com`) the browser is able to intercept it, same goes for the HTTP headers (which aren't easily sharable as simple string). – Fleshgrinder Jan 16 '14 at 12:23
  • What I mean, the two variables, you wrote about in your answer here, are not filled if you don't authenticate the user by the module, provided by nginx. Sorry, my first comment was quite misleading here ... – SimonSimCity Jan 16 '14 at 16:34
  • That's right, but that should apply to Apache httpd as well. If some other software is taking care of the authentication process only that software will have access to the variables. Please note that this isn't true if PHP running via Apache httpd modphp, because Apache httpd and PHP are than running as a single process and can exchange data. This isn't possible with nginx at all. And now I see that my answer might not be an answer to the question. :P – Fleshgrinder Jan 16 '14 at 18:18