BasicAuth with nginx except for a specific location (Admin/API) - nginx

I want to set up BasicAuth on a DEV installation of Shopware to prevent Google/visitors from coming to the site.
I would like to keep the admin area without BasicAuth, as the SPA backend keeps asking for login on many ajax requests.
In short, BasicAuth for all requests except "/admin" and "/api".
I have tried this with the following configuration. But I get the password prompt even for requests on "/admin".
Why does "auth_basic" from one location affect the other?
server {
listen [--IP--]:80;
listen [--IP--]:443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /var/www/clients/client1/web7/ssl/[--DOMAIN--].crt;
ssl_certificate_key /var/www/clients/client1/web7/ssl/[--DOMAIN--].key;
server_name [--DOMAIN--] ;
root /var/www/[--DOMAIN--]/web;
.
.
.
add_header X-Robots-Tag "noindex, nofollow" always;
location #rewriteapp {
root /var/www/[--DOMAIN--]/web/public/;
client_max_body_size 100M;
rewrite ^/(.*)$ /index.php last;
}
location /admin {
alias /var/www/[--DOMAIN--]/web/public/;
client_max_body_size 100M;
index index.php;
http2_push_preload on;
rewrite ^/(.+)\.php/(.*)$ /$1.php last;
try_files $uri #rewriteapp;
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
.
.
.
http2_push_preload on;
}
}
location / {
alias /var/www/[--DOMAIN--]/web/public/;
client_max_body_size 100M;
index index.php;
http2_push_preload on;
rewrite ^/(.+)\.php/(.*)$ /$1.php last;
try_files $uri #rewriteapp;
.
.
.
auth_basic "DEV";
auth_basic_user_file /var/www/clients/client1/web6/web/public/.htpasswd;
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
.
.
.
http2_push_preload on;
}
}
}
I also tried with auth_basic off in the "/admin" location.
auth_basic off;
allow all;

Try this:
server {
location ~ .php$ {
set $auth "Restricted";
if ($request_uri ~ /api/.*){
set $auth "off";
}
if ($request_uri ~ /admin.*){
set $auth "off";
}
auth_basic $auth;
auth_basic_user_file /www/htdocs/shopware/.htpasswd;
}
}

Related

Nginx ERR_TOO_MANY_REDIRECTS Wordpress Multisite Issue

Having an issue on wordpress multisite setup with nginx, it is redirecting over and over again with the same https/url on subfolder, but main site is working. Can someone please help me? This is my configuration. Thanks in advance.
Take note: Server is EC2 instance under Application Load Balancer and Cloudfront
server {
server_name _;
listen 80 reuseport;
root /var/www/html;
index index.php;
set $upstream_endpoint ${FPM_SERVER};
set $proxy_https '';
set $csp '';
if ($http_cloudfront_forwarded_proto = 'https') {
set $proxy_https 'on';
}
if ($http_x_forwarded_proto = 'https') {
set $proxy_https 'on';
}
if ($scheme = 'https') {
set $proxy_https 'on';
}
if ($proxy_https = 'on'){
set $csp 'upgrade-insecure-requests;';
}
add_header Content-Security-Policy $csp;
location = /favicon.ico {
allow all;
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# try to serve file directly, fallback to index.php
# try_files $uri $uri/ /index.php$args;
try_files $uri $uri/ /index.php?q=$uri&$args;
proxy_set_header Host $host;
}
### ADDED CONFIG
###
# rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
location /blogs {
try_files $uri $uri/ /blogs/index.php?q=$uri&$args;
}
location /faq {
try_files $uri $uri/ /faq/index.php?q=$uri&$args;
}
rewrite ^/files/(.+) /wp-includes/ms-files.php?file=$1 last;
location ^~ /files/ {
rewrite ^.*/files/(.+)$ /wp-includes/ms-files.php?file=$1 last;
}
# Rewrite multisite '.../wp-.*' and '.../*.php'.
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
break;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS $proxy_https if_not_empty;
fastcgi_param REMOTE_ADDR $proxy_add_x_forwarded_for;
fastcgi_pass $upstream_endpoint;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
}

How to map requests from a path?

I have the following domain:
https://example.com
I want, when the following /path/ is hit:
https://example.com/path/subpath/?param1=value1&param2=value2
​
the content from this url to be served:
https://example.com/subpath/?param1=value1&param2=value2
​
without performing a redirect.
​
I have tried using an alias like this:
​
location /path/ {
alias /home/forge/example.com/current/;
}
​
where current is a symlink pointing to the latest release:
​
current -> /root/example.com/releases/timestamp/
​
But it doesn't work. it gives 404.
How can I achieve this?
The entire server block:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
server_tokens off;
root /home/forge/example.com/current;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
charset utf-8;
location /path/ {
alias /home/forge/example.com/current/;
}
location / {
gzip_static on;
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log /var/log/nginx/example.com-access.log;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
gzip on;
}
I don't see any reason why
rewrite ^/path(/.*) $1;
didn't work as expected. But if you want to use an alias solution instead, you should take into account that regex matching locations have a greater priority than prefix ones and any request for /path/subpath/index.php would be processed by location ~ \.php { ... } rather than location /path/ { ... }. You can override this with ^~ location modifier using a second nested PHP handler:
location ^~ /path/ {
alias /home/forge/example.com/current/;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}

User diretive is not allowed

I'm creating a virtual host for the OsTicket configuration.
In the file vim /etc/nginx/sites-available/osticket.conf I'm inserting these lines:
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
charset utf-8;
gzip on;
gzip_types text/plain application/xml text/javascript;
gzip_min_length 1000;
index index.php index.html index.htm;
# Rewrite all requests from HTTP to HTTPS
server {
listen 80;
server_name 192.168.0.24;
rewrite ^ http://192.168.0.24 permanent;
}
server {
listen 443;
server_name 192.168.0.24;
ssl on;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/cert.key;
keepalive_timeout 70;
root /var/www/osticket;
set $path_info "";
location ~ /include {
deny all;
return 403;
}
if ($request_uri ~ "^/api(/[^\?]+)") {
set $path_info $1;
}
location ~ ^/api/(?:tickets|tasks).*$ {
try_files $uri $uri/ /api/http.php?$query_string;
}
if ($request_uri ~ "^/scp/.*\.php(/[^\?]+)") {
set $path_info $1;
}
if ($request_uri ~ "^/.*\.php(/[^\?]+)") {
set $path_info $1;
}
location ~ ^/scp/ajax.php/.*$ {
try_files $uri $uri/ /scp/ajax.php?$query_string;
}
location ~ ^/ajax.php/.*$ {
try_files $uri $uri/ /ajax.php?$query_string;
}
location / {
try_files $uri $uri/ index.php;
}
location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param PATH_INFO $path_info;
fastcgi_pass 192.168.0.24:8888;
}
}
}
And when I do service nginx restart I get the following error:
enter image description here
If you use the command nginx -t I get the following error:
enter image description here
In the nginx server logs I get the following error:
"user" directive is not allowed here in
/etc/nginx/sites-enabled/osticket.conf:1
How can I solve the problem for the nginx service to work.
All configuration files inside the sites-enabled folder are by default included within the nginx.conf configuration, which already has the http block and most of the things you are setting.
You should have only your server blocks in the osticket.conf file. Remove everything else and you should end up with something like:
server {
listen 80;
server_name 192.168.0.24;
rewrite ^ http://192.168.0.24 permanent;
}
server {
listen 443;
server_name 192.168.0.24;
ssl on;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/cert.key;
keepalive_timeout 70;
root /var/www/osticket;
set $path_info "";
location ~ /include {
deny all;
return 403;
}
if ($request_uri ~ "^/api(/[^\?]+)") {
set $path_info $1;
}
location ~ ^/api/(?:tickets|tasks).*$ {
try_files $uri $uri/ /api/http.php?$query_string;
}
if ($request_uri ~ "^/scp/.*\.php(/[^\?]+)") {
set $path_info $1;
}
if ($request_uri ~ "^/.*\.php(/[^\?]+)") {
set $path_info $1;
}
location ~ ^/scp/ajax.php/.*$ {
try_files $uri $uri/ /scp/ajax.php?$query_string;
}
location ~ ^/ajax.php/.*$ {
try_files $uri $uri/ /ajax.php?$query_string;
}
location / {
try_files $uri $uri/ index.php;
}
location ~ \.php$ {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param PATH_INFO $path_info;
fastcgi_pass 192.168.0.24:8888;
}
}

Wordpress permalink after migrating to Nginx

My permalinks are ~~/%category%~~/%postname%/~~.html~~.
I migrated from Apache to Nginx.
Then my config file I added in
server{
location /mydirectory/ {
try_files $uri $uri/ /mydirectory/$uri.html;
}
But my browser goes on going to the 404 page.
I tried many codes found after deleting cache but still no success.Any help will be much appreciated
Thank you
I desactivate all my plugins and was able to change my permalinks into
/%postname%/
Here is my my.site.com config (my site is in a sub directory Vie/) :
server {
listen 80;
server_name my.site.com;
location ~ /(vie|\|Vie|Vie)/(.*) {
return 301 https://my.site.com/Vie;
}
return 301 https://my.site.com/Vie$request_uri;
}
server {
listen 443 ssl;
server_name my.site.com;
root /var/www/my.site.com/html;
index index.php index.html;
ssl_certificate /etc/letsencrypt/live/krouus.company/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/krouus.company/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA128-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /etc/nginx/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000;";
location /Vie/ {
index index.php;
try_files $uri $uri/ /Vie/index.php?$args;
}
location / {
try_files $uri $uri/ /Vie/index.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffers 4 256k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
}
location ~* commun {
deny all;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
}
location ~ (^|/)\. {
return 403;
}
location ~* \.(?:css|gif|htc|ico|js|jpe?g|png|swf)$ {
expires max;
log_not_found off;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=1000 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
location ~* \.ini$ {
deny all;
return 404;
}
error_page 404 /404.html;
location /404.html {
internal;
}
location ~* /(?:uploads|files)/.*\.(html|htm|shtml|php|js|swf|py|jsp|asp|sh|cgi)$ {
deny all;
}
if ($request_method !~ ^(GET|POST|HEAD)$ ) {
return 444;
}
location ~* wp-includes/theme-compat/ {
deny all;
}
location ~* wp-includes/js/tinymce/langs/.*.php {
deny all;
}
location /wp-includes/ {
internal;
}
location ~* .(pl|cgi|py|sh|lua|asp)$ {
return 444;
}
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
deny all;
}
if (!-e $request_filename) {
rewrite ^.*$ /index.php last;
}
location /xmlrpc.php {
deny all;
}
}
Try this instead. As i was also facing same problem,hope its work for you too.
location /mydirectory{
try_files $uri $uri/ /mydirectory/index.php;
}
Well in fact I solved my problem. I read attentively my ocnfiguration and removed
if (!-e $request_filename) {
rewrite ^.*$ /index.php last;
}
And now my Wordpress works.
Cheerio!

Nginx configuration for a wordpress blog in a subfolder of magento root

I have installed a Magento extension to have a wordpress blog integrated with Magento.
Basically, the WP is in a subdirectory of the Magento root. I want to create multiple sites with subdirectories but I can't make it work due to the nginx configuration.
Wordpress is in his /wp subdirectory (http://example.com/wp/wp-admin/) and the others sites are accessible from http://example.com/wp/ca/wp-admin/ and http://example.com/wp/en/wp-admin/
Here is whats I got so far :
server
{
server_name dev.example.com;
access_log /var/log/nginx/example.access.log;-
error_log /var/log/nginx/example.error.log;
root /var/www/example;
location ^~ /wp {
index index.php index.html index.htm;
try_files $uri $uri/ /wp/index.php?q=$uri&$args;
# Multisite
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/wp(/[^/]+)?(/wp-.*) /wp$2 last;
rewrite ^/wp(/[^/]+)?(/.*\.php)$ /wp$2 last;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
set $mage_developer true;
set $mage_code es;
set $mage_type store;
include snippets.d/magento-site;-
}
and in snippets.d/magento-site :
# Serve static pages directly,
# otherwise pass the URI to Magento's front handler
location / {
index index.php;
try_files $uri $uri/ #handler;
expires 30d;-
}
# Disable .htaccess and other hidden files
location /. {
return 404;
}
# Allow admins only to view export folder
location /var/export/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
autoindex on;
}
# These locations would be hidden by .htaccess normally
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
# Magento uses a common front handler
location #handler {
rewrite / /index.php;
}
# Forward paths like /js/index.php/x.js to relevant handler
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
# Execute PHP scripts
location ~ .php$ {
# Catch 404s that try_files miss
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param MAGE_RUN_CODE $mage_code;
fastcgi_param MAGE_RUN_TYPE $mage_type;
fastcgi_ignore_client_abort on;
fastcgi_read_timeout 900s; # 15 minutes
}
Thanks for your help.
Wanted to pass along a full conf file for anyone who needs to configure this. Please keep in mind, many file paths are unique your your server configuration.
Please note, you'll need to adjust the following parameters based on file paths on your server:
server_name domain.com www.domain.com;
ssl_certificate /sslpath/domain.com.crt;
ssl_certificate_key /sslpath/domain.com.key;
root /webrootpath/domain.com;
rewrite ^/blogpath(.*) /blogpath/index.php?q=$1;
location ^~ /blogpath {
error_log /data/log/nginx/domain.com_error.log;
access_log /data/log/nginx/domain.com_access.log;
Here is the full nginx conf file:
server {
listen 80;
server_name domain.com www.domain.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name domain.com www.domain.com;
ssl on;
ssl_certificate /sslpath/domain.com.crt;
ssl_certificate_key /sslpath/domain.com.key;
ssl_session_timeout 30m;
root /webrootpath/domain.com;
index index.php;
location / {
index index.html index.php;
try_files $uri $uri/ #handler;
expires 30d;
}
location #wp {
rewrite ^/blogpath(.*) /blogpath/index.php?q=$1;
}
location ^~ /blogpath {
root /webrootpath/domain.com;
index index.php index.html index.htm;
try_files $uri $uri/ #wp;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location ~ ^/(app|includes|lib|media/downloadable|pkginfo|report/config.xml|var)/ { internal; }
location /var/export/ { internal; }
location /. { return 404; }
location #handler { rewrite / /index.php; }
location ~* .php/ { rewrite ^(.*.php)/ $1 last; }
location ~* .php$ {
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
error_log /data/log/nginx/domain.com_error.log;
access_log /data/log/nginx/domain.com_access.log;
}
Well, in the end, it works passing all request to the blog to Apache and creating the site in the virtual hosts corresponding.
location ~ ^/blog {
proxy_pass http://apache:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 6000s;
}
If someone succeed to make it work with Nginx only, I'm looking forward to his answer :)
Why run Apache? Doesn't make sense to run 2 webservers.
Try adding this to your nginx conf.
location #wp {
rewrite ^/wp(.*) /wp/index.php?q=$1;
}
location ^~ /wp {
root /var/www/example;
index index.php index.html index.htm;
try_files $uri $uri/ #wp;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}

Resources