I have a project written using Symfony2 framework and running on Nginx server.
The goal is to protect it with auth_basic.
What I did in nginx config file:
location ~ \.php(/|$) {
auth_basic 'RESTRICTED ACCESS';
auth_basic_user_file /var/www/my.passwd;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
But there, when I try to access the page and i fill in the username and password, It asks me the same again and again.
I have some redirects on the page:
server {
listen 80;
server_name example.com;
rewrite ^ http://www.example.com$uri permanent;
}
server {
listen 80;
listen 443 default_server ssl;
ssl_certificate ssl2013/myssl.crt;
ssl_certificate_key ssl2013/myssl.key;
keepalive_timeout 70;
set $asset_dir /var/www/example.com/web/bundles/mdpimain;
server_name www.example.com;
root /var/www/example.com/web;
# strip app.php/ prefix if it is present
rewrite ^/app\.php/?(.*)$ /$1 permanent;
# rewrite home
rewrite ^/home/? / permanent;
# remove trailing slash
rewrite ^/(.*)/$ /$1 permanent;
# remove index.php
rewrite ^[/](.*)/index\.php$ /$1 permanent;
# sitemap redirection
rewrite ^/sitemap_(.*)$ /sitemap/$1 last;
location / {
index app.php;
if (-f $request_filename) {
break;
}
rewrite ^(.*)$ /app.php/$1 last;
}
EDIT1.
Another detail: the password and user I am using are ok because no logs in the nginx error.log, so there is a redirect problem.
Try checking the $remote_user, if empty, return 403.
EDIT This works for me.
server {
listen 80;
server_name www.example.com;
auth_basic 'RESTRICTED ACCESS';
auth_basic_user_file /var/web/my.passwd;
set $ok "no";
if ($remote_user ~ ^$) { break; }
if ($remote_user != '') { set $ok "yes"; }
if ($ok != "yes") {
return 403;
}
# Path for static files
root /var/web/public_html;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app_dev.php$is_args$args;
}
location ~ ^/(app|app_dev|config)\.php(/|$) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
}
Related
I'm having a main domain example.com and an example.com/admin/. This admin domain has a different document root and will render the admin interface. The problem currently is that the file is server plain-text by nginx. So I can basically see the index.php file. I'm trying to figure it out, but no success yet.
This is my nginx config:
server {
listen 127.0.0.1:8080;
server_name www.example.me;
rewrite ^(.*) http://example.me$1 permanent;
}
server {
listen 127.0.0.1:8080;
server_name example.me;
root /var/www/example.me/laravel/example/public/;
index index.html index.htm index.php;
error_log /var/log/nginx/example.me.error.log error;
access_log /var/log/nginx/example.me.access.log;
port_in_redirect off;
merge_slashes on;
client_max_body_size 20M;
error_page 404 =301 http://example.me;
location / {
#Don't use slash at end
rewrite ^/(.*)/$ /$1 permanent;
# add rewrite rule here:
# block access to /index.(php|htm|html)
if ($request_uri ~ "/index.(php|html?)") {
rewrite ^ /$1 permanent;
}
if (!-e $request_filename) {
rewrite ^.*$ /index.php last;
}
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ^~ /admin {
root /var/www/example.me/zend/public/;
index index.php;
try_files /index.php$is_args$args $uri;
auth_basic "example Admin";
auth_basic_user_file /var/www/example.me/zend/public/.htpasswd;
rewrite_log on;
access_log /var/log/nginx/adminexample.access.log;
error_log /var/log/nginx/adminexample.error.log notice;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param SCRIPT_FILENAME /var/www/example.me/zend/public$fastcgi_script_name;
}
}
}
So, I want to secure only the login and admin part of my website. The problem is that the admin uses some common static files that are used on the general site as well. This means that when I am in the admin those files should be served over https while when I am on the general site they should be served as http.
How can I configure nginx to behave this way?
The configuration I use so far is bellow:
server {
listen 80;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
return 301 https://$server_name$request_uri;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
}
server {
listen 443 ssl;
ssl_certificate path_to_ssl.crt;
ssl_certificate_key path_to_key.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name site.com www.site.com;
root /home/site_folder/web;
index index.php;
location ~ /(get-involved|contribute|api) {
root /home/site_folder/web;
if (-f $request_filename) {
expires max;
break;
}
try_files $uri $uri/index.php;
rewrite ^(.*) /index.php last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME /home/site_folder/web/index.php;
}
location / {
return 301 http://$server_name$request_uri;
}
}
I have installed a Magento extension to have a wordpress blog integrated with Magento.
Basically, the WP is in a subdirectory of the Magento root. I want to create multiple sites with subdirectories but I can't make it work due to the nginx configuration.
Wordpress is in his /wp subdirectory (http://example.com/wp/wp-admin/) and the others sites are accessible from http://example.com/wp/ca/wp-admin/ and http://example.com/wp/en/wp-admin/
Here is whats I got so far :
server
{
server_name dev.example.com;
access_log /var/log/nginx/example.access.log;-
error_log /var/log/nginx/example.error.log;
root /var/www/example;
location ^~ /wp {
index index.php index.html index.htm;
try_files $uri $uri/ /wp/index.php?q=$uri&$args;
# Multisite
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/wp(/[^/]+)?(/wp-.*) /wp$2 last;
rewrite ^/wp(/[^/]+)?(/.*\.php)$ /wp$2 last;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
set $mage_developer true;
set $mage_code es;
set $mage_type store;
include snippets.d/magento-site;-
}
and in snippets.d/magento-site :
# Serve static pages directly,
# otherwise pass the URI to Magento's front handler
location / {
index index.php;
try_files $uri $uri/ #handler;
expires 30d;-
}
# Disable .htaccess and other hidden files
location /. {
return 404;
}
# Allow admins only to view export folder
location /var/export/ {
auth_basic "Restricted";
auth_basic_user_file htpasswd;
autoindex on;
}
# These locations would be hidden by .htaccess normally
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
# Magento uses a common front handler
location #handler {
rewrite / /index.php;
}
# Forward paths like /js/index.php/x.js to relevant handler
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
# Execute PHP scripts
location ~ .php$ {
# Catch 404s that try_files miss
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param MAGE_RUN_CODE $mage_code;
fastcgi_param MAGE_RUN_TYPE $mage_type;
fastcgi_ignore_client_abort on;
fastcgi_read_timeout 900s; # 15 minutes
}
Thanks for your help.
Wanted to pass along a full conf file for anyone who needs to configure this. Please keep in mind, many file paths are unique your your server configuration.
Please note, you'll need to adjust the following parameters based on file paths on your server:
server_name domain.com www.domain.com;
ssl_certificate /sslpath/domain.com.crt;
ssl_certificate_key /sslpath/domain.com.key;
root /webrootpath/domain.com;
rewrite ^/blogpath(.*) /blogpath/index.php?q=$1;
location ^~ /blogpath {
error_log /data/log/nginx/domain.com_error.log;
access_log /data/log/nginx/domain.com_access.log;
Here is the full nginx conf file:
server {
listen 80;
server_name domain.com www.domain.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
server_name domain.com www.domain.com;
ssl on;
ssl_certificate /sslpath/domain.com.crt;
ssl_certificate_key /sslpath/domain.com.key;
ssl_session_timeout 30m;
root /webrootpath/domain.com;
index index.php;
location / {
index index.html index.php;
try_files $uri $uri/ #handler;
expires 30d;
}
location #wp {
rewrite ^/blogpath(.*) /blogpath/index.php?q=$1;
}
location ^~ /blogpath {
root /webrootpath/domain.com;
index index.php index.html index.htm;
try_files $uri $uri/ #wp;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location ~ ^/(app|includes|lib|media/downloadable|pkginfo|report/config.xml|var)/ { internal; }
location /var/export/ { internal; }
location /. { return 404; }
location #handler { rewrite / /index.php; }
location ~* .php/ { rewrite ^(.*.php)/ $1 last; }
location ~* .php$ {
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
error_log /data/log/nginx/domain.com_error.log;
access_log /data/log/nginx/domain.com_access.log;
}
Well, in the end, it works passing all request to the blog to Apache and creating the site in the virtual hosts corresponding.
location ~ ^/blog {
proxy_pass http://apache:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 6000s;
}
If someone succeed to make it work with Nginx only, I'm looking forward to his answer :)
Why run Apache? Doesn't make sense to run 2 webservers.
Try adding this to your nginx conf.
location #wp {
rewrite ^/wp(.*) /wp/index.php?q=$1;
}
location ^~ /wp {
root /var/www/example;
index index.php index.html index.htm;
try_files $uri $uri/ #wp;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
I'm having an hard time trying to add some security to a site,
Basically I wish that what's under a directory must:
1) be redirected to https if http
2) be under HttpAuthBasicModule
for some reasons I can get the auth to work, but it's not redirecting to https for certain urls, such as /index.php, but it does for some other files:
/revive/www/admin/assets/images/login-welcome.gif works
/revive/www/admin/index.php remains under port 80
this is the relevant part of my nginx config file
location ^~ /revive/www/admin {
if ($server_port = 80) {
rewrite ^ https://$host$request_uri permanent;
}
auth_basic "Restricted";
auth_basic_user_file htpasswd_revive;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9001;
fastcgi_param PHP_VALUE "newrelic.appname=revive.host.com";
fastcgi_index index.php;
include fastcgi_params;
}
}
How could I make sure that everything under /revive/www/admin is redirected to port 443 if it's called on port 80? any help would be greatly appreciated!
put your server rules only with "listen 443" and add the following rule bellow:
server {
listen 80;
server_name mysite.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
turns out it seems to be working if I do this:
location ^~ /revive/www/admin {
if ($server_port = 80) {
rewrite ^ https://$host$request_uri permanent;
}
auth_basic "Restricted";
auth_basic_user_file htpasswd_revive;
location ~ \.php$ {
if ($server_port = 80) {
rewrite ^ https://$host$request_uri permanent;
}
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9001;
fastcgi_param PHP_VALUE "newrelic.appname=revive.host.com";
fastcgi_index index.php;
include fastcgi_params;
}
}
I am trying to redirect all http traffic to https. Below is my config. The traffic redirects but it adds 443 to the route which causes my app to fail.
http://mysite.com/login
Becomes
https://mysite.com:443/login
Here is my nginx config file:
server {
listen 80;
server_name mysite.com www.mysite.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/mysite.com.crt;
ssl_certificate_key /etc/ssl/server.key;
server_name mysite.com www.mysite.com;
root /var/www/html/mysite/public/;
client_max_body_size 150M;
location /
{
index index.php index.html index.htm;
}
# Enforce No WWW - I put this in an include:
# include /etc/nginx/includes/enforce_non_www;
if ($host ~* ^www\.(.*))
{
set $host_without_www $1;
rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent;
}
# Check if file exists
if (!-e $request_filename)
{
rewrite ^/(.*)$ /index.php?/$1 last;
break;
}
# catch all
error_page 404 /index.php;
# The PHP Inclusion Block
# include /etc/nginx/includes/php;
location ~ \..*/.*\.php$
{
# I'm pretty sure this stops people trying to traverse your site to get to other PHP files
return 403;
}
location ~ \.php(.*)$
{
# Pass the PHP files to PHP FastCGI for processing
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Deny Any Access to .htaccess Files That May Be Present (not usually in issue in Laravel)
# include /etc/nginx/includes/deny_htaccess;
location ~ /\.ht
{
deny all;
}
}