Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#730 closed defect (invalid)

.htpasswd and direct download

Reported by: www.google.com/accounts/o8/id?id=AItOawkVk47NDSKkGLSSxfaOjfdASkWas0UyBzU Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.2.x
Keywords: htpasswd Cc:
uname -a: Linux some.host.com 2.6.32-042stab103.6 #1 SMP Wed Jan 21 13:07:39 MSK 2015 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.1 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-upstream-fair --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-dav-ext-module

Description

Hi,

I protected a folder using "location" and auth_basic, it works well but if I try to direct download a file inside the folder, it doesn't prompt me for login & password.

Of course, I tried to direct download the file without auth'ing to the folder :P

Here is my vhost :

server {
...
     location /folder {
        auth_basic "Administrator Login";
        auth_basic_user_file /path/to/htpasswd;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
     }

...
}

Change History (2)

comment:1 Changed 5 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

Make sure you have auth_basic enabled in other locations which can be used to access files in the folder. Common error is to configure auth_basic for a location, while not protecting access to the same files via locations given by regular expressions. If in doubt, use the ^~ modifier to prevent checking regular expressions after the match, see docs for details.

comment:2 Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawkVk47NDSKkGLSSxfaOjfdASkWas0UyBzU

You were right, I had an extra location matching the file pattern.

Thanks !

Note: See TracTickets for help on using tickets.