Nginx Password Protect Directory Downloads Source Code

Question

I'm trying to password protect a WordPress login page on my Nginx server. When I navigate to http://www.example.com/wp-login.php, this brings up the "Authentication Required" prompt (not the WordPress login page) for a username and password. However, when I input the correct credentials, it downloads the PHP source code (wp-login.php) instead of showing the WordPress login page.

Permission for my htpasswd file is set to 644.

Here are the directives in question within the server block of my website's configuration file:

location ^~ /wp-login.php {
auth_basic            "Restricted Area";
auth_basic_user_file  htpasswd;
}

Alternately, here are the entire contents of my configuration file (including the above four lines):

server {
    listen *:80;


    server_name domain.com www.domain.com;

    root   /var/www/domain.com/web;

    index index.html index.htm index.php index.cgi index.pl index.xhtml;

    error_log /var/log/ispconfig/httpd/domain.com/error.log;
    access_log /var/log/ispconfig/httpd/domain.com/access.log combine$

    location ~ /\. {
        deny all;
       access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location /stats/ {

        index index.html index.php;
        auth_basic "Members Only";
        auth_basic_user_file /var/www/web/stats/.htp$
    }

    location ^~ /awstats-icon {
        alias /usr/share/awstats/icon;
    }

    location ~ \.php$ {
       try_files /b371b8bbf0b595046a2ef9ac5309a1c0.htm @php;
    }

    location @php {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;
    client_max_body_size 64M;
    }

    location ^~ /wp-login.php {
    auth_basic            "Restricted Area";
    auth_basic_user_file  htpasswd;
    }


}

If it makes any difference, I'm using Ubuntu 14.04.1 LTS with Nginx 1.4.6 and ISPConfig 3.0.5.4p3.

@Mike, thanks, I've now posted the entire configuration file. — Pamela, Aug 20 '14 at 03:16

masegaloeh · Accepted Answer · 2014-08-20T04:14:42.300

3

Let me translate the current config. Whenever browser request /wp-login.php, the request only matches section location ^~ /wp-login.php, not including your php-fpm configuration. So, nginx just apply the auth_basic and then spit out the source code of wp-login.php because nginx can't parses it.

The solution is adding php-fpm section like this

    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_intercept_errors on;

inside your location ^~ /wp-login.php directive.

Source: Protecting The Wordpress Login In Nginx

edited Aug 20 '14 at 04:14

answered Aug 20 '14 at 03:45

masegaloeh

17,978
9
56
104

Thank, this fixed it and has ended a big headache for me! – Pamela Aug 20 '14 at 03:55
Rather, it has fixed two big headaches for me--this one and [this one](http://serverfault.com/questions/622272/nginx-server-block-port-8081-path-to-root-folder). Thanks. – Pamela Aug 20 '14 at 04:05

Nginx Password Protect Directory Downloads Source Code

1 Answers1

Linked