I have a RaspberryPi with Raspbian and I want that a public www-folder is protected by htpasswd and that php files are passed correcly and the .htpasswd and .db files are denied to all.
But this does not work with my configuration. When I call the site from my browser in my local network (http://192.168.0.12/test/page.php) it is shown correctly, but no authentification was required and I can download the .htpasswd and .db files, even I have denied them in my configuration.
What is wrong? Is that possible, that only the first location block which is matching is executed? How can I bypass this?
Folder structure in "/usr/share/nginx/www":
test
- data.db
- page.php
- .htpasswd
index.html
index.php
.htpasswd
My nginx server config:
server {
#listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default_server ipv6only=on; ## listen for ipv6
root /usr/share/nginx/www;
index index.html index.htm index.php;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
#pass the PHP scripts to PHP-FPM server listening on unix socket
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /testDb {
auth_basic "Admin Login";
auth_basic_user_file /usr/share/nginx/www/test/.htpasswd;
}
# deny access to .ht files
location ~ \.ht {
deny all;
}
# deny access to .db files
location ~ \.db {
deny all;
}
}
Thanks in advantage!
Aucun commentaire:
Enregistrer un commentaire