I have this in my server config

location / {

            try_files $uri $uri/ =404;
            auth_basic  "protected site";
            auth_basic_user_file  /etc/nginx/.htpasswd;

When I call my domain or any subfolder, e.g. http://example.com/folder/ protection works fine

but when I call my domain incl. file-name, e.g. http://example.com/index.php I don’t need to enter any credentials and can just bypass authbasic.

What did I do wrong here?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer

Solved it.

auth_basic  "protected site";
auth_basic_user_file  /etc/nginx/.htpasswd;

has to be moved outside of location block and then it works for the whole site

Submit an Answer