1

I know this can be done with Apache, however I've started using nginx and would like to know if this is possible, and if so, how I can implement it.

On my web server I have the directory /mcscreens which contains a number of images. The directory is indexed with h5ai. I would like to password protect the directory so I can visit /mcscreens, login and be able to browse all the images using h5ai. I would also however like to link people directly to specific images, without them having to authenticate.

Basically, I want to password protect the directory, but not individual files.

How can I do this?

edit: my full config, including rmalayter's example:

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /var/www;
    index index.php index.html index.htm /mcscreens/_h5ai/server/php/index.php;

    # Make site accessible from http://localhost/
    server_name redacted;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
    }

    location /doc/ {
        alias /usr/share/doc/;
        autoindex on;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    #location for the root folder listing with or without trailing slash
    location ~ ^/(mcscreens|mcscreens/)$  {
      auth_basic            "Restricted";
      auth_basic_user_file  /var/www-assets/passwd;
    }

    #allow retrieval of any individual image via URL without auth
    location ~ ^/mcscreens/* {
      autoindex off;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

        }
}

rmalayter's example works, however PHP files are downloaded as .bin files.

Torvero
  • 414
  • 7
  • 14

1 Answers1

4

I believe this can be accomplished with two location blocks, one for the folder itself that has autoindex on, and then one for the files within. Thes likely have to be regex locationS.

Untested Example:

#location for the root folder listing with or without trailing slash
location ~ ^/(mcscreens|mcscreens/)$  {
  auth_basic            "Restricted";
  auth_basic_user_file  htpasswd;
  autoindex on;
}

#allow retrieval of any individual image via URL without auth
location ~ ^/mcscreens/* {
  autoindex off;
}
rmalayter
  • 3,744
  • 19
  • 27
  • Thanks - that works in that I'm asked for a password when I see the directory and not when I want to see and indivdual file. The only problem is that now PHP files are treated are download as .bin files. I've added my full nginx config to the question. – Torvero Feb 10 '14 at 18:10
  • 1
    Move your PHP location block up above the two new rexex blocks ones you just added. Nginx matches regex locations in the order they appear in teh configuration file. So I assume your php files are under your /mcscreeens lcoation. nginx stops searching other regex locations after it hits the first match. Your configuration of "execute anything with a PHP extension" is a really bad idea from a security perspective BTW. Code and static files should be separated, so you only run PHP from very specific directories. This is especially true if you accept any sort of file upload anywhere on your site. – rmalayter Feb 11 '14 at 04:49
  • Thanks, that worked. I have also disabled that from my config. – Torvero Feb 11 '14 at 07:59