Nginx Password Protect Directory Downloads Source Code

Posted by Pamela on Server Fault See other posts from Server Fault or by Pamela
Published on 2014-08-20T03:00:46Z Indexed on 2014/08/20 4:23 UTC
Read the original article Hit count: 513

I'm trying to password protect a WordPress login page on my Nginx server. When I navigate to http://www.example.com/wp-login.php, this brings up the "Authentication Required" prompt (not the WordPress login page) for a username and password. However, when I input the correct credentials, it downloads the PHP source code (wp-login.php) instead of showing the WordPress login page.

Permission for my htpasswd file is set to 644.

Here are the directives in question within the server block of my website's configuration file:

location ^~ /wp-login.php {
auth_basic            "Restricted Area";
auth_basic_user_file  htpasswd;
}

Alternately, here are the entire contents of my configuration file (including the above four lines):

server {
    listen *:80;


    server_name domain.com www.domain.com;

    root   /var/www/domain.com/web;

    index index.html index.htm index.php index.cgi index.pl index.xhtml;

    error_log /var/log/ispconfig/httpd/domain.com/error.log;
    access_log /var/log/ispconfig/httpd/domain.com/access.log combine$

    location ~ /\. {
        deny all;
       access_log off;
        log_not_found off;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location /stats/ {

        index index.html index.php;
        auth_basic "Members Only";
        auth_basic_user_file /var/www/web/stats/.htp$
    }

    location ^~ /awstats-icon {
        alias /usr/share/awstats/icon;
    }

    location ~ \.php$ {
       try_files /b371b8bbf0b595046a2ef9ac5309a1c0.htm @php;
    }

    location @php {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/lib/php5-fpm/web11.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }

    location / {
    try_files $uri $uri/ /index.php?$args;
    client_max_body_size 64M;
    }

    location ^~ /wp-login.php {
    auth_basic            "Restricted Area";
    auth_basic_user_file  htpasswd;
    }


}

If it makes any difference, I'm using Ubuntu 14.04.1 LTS with Nginx 1.4.6 and ISPConfig 3.0.5.4p3.

© Server Fault or respective owner

Related posts about nginx

Related posts about security