nginx authbasic only protects folders but not individual files

April 25, 2015 638 views
Nginx LEMP Security Ubuntu

I have this in my server config

location / {

            try_files $uri $uri/ =404;
            auth_basic  "protected site";
            auth_basic_user_file  /etc/nginx/.htpasswd;
    }

When I call my domain or any subfolder, e.g. http://example.com/folder/ protection works fine

but when I call my domain incl. file-name, e.g. http://example.com/index.php I don't need to enter any credentials and can just bypass authbasic.

What did I do wrong here?

1 Answer

Solved it.

auth_basic  "protected site";
auth_basic_user_file  /etc/nginx/.htpasswd;

has to be moved outside of location block and then it works for the whole site

Have another answer? Share your knowledge.