Protect /analytics on Nginx with basic authentication, but allow access to .php and .js files?

addis_a · February 11, 2015, 5:46pm

Hey folks, Nginx noob here. I also posted here with no luck yet:

I have Piwik setup and running on a Nginx webserver that I protected
with
HTTP basic authentication, as seen below.

location /analytics {
alias /var/www/piwik/;
auth_basic “Restricted”;
auth_basic_user_file /etc/nginx/pass;
try_files $uri $uri/ /index.php;
}

location ~ ^/analytics(.+.php)$ {
alias /var/www/piwik$1;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

I have it protected, but it’s prompting to login on every page, due to
the
piwik.php and piwik.js files (necessary for analytics) being in my
protected
directory. This is described on Piwik’s website, below.

“If you use HTTP Authentication (Basic or Digest) on your Piwik files,
you
should exclude piwik.php and piwik.js from this authentication, or
visitors
on your website would be prompted with the authentication popup.”

My question is: what kind of Nginx rule can I use to protect all files
in
that directory, besides those two? Is it possible to do a negative regex
match on a location block?

Any help would be appreciated!

Posted at Nginx Forum:

lmm5247 · February 11, 2015, 9:22pm

On Wed, Feb 11, 2015 at 11:45:46AM -0500, lmm5247 wrote:

Hi there,

I have Piwik setup and running on a Nginx webserver that I protected with
HTTP basic authentication, as seen below.

location /analytics {
alias /var/www/piwik/;
auth_basic “Restricted”;
auth_basic_user_file /etc/nginx/pass;
try_files $uri $uri/ /index.php;
}

I have it protected, but it’s prompting to login on every page, due to the
piwik.php and piwik.js files (necessary for analytics) being in my protected
directory. This is described on Piwik’s website, below.

What actual requests are made that are challenged for
authentication? Check your access_log for http 401.

At a guess, it is just /analytics/piwik.js that you care about here.

So: add

location = /analytics/piwik.js {auth_basic off;}

inside your “location /analytics {}” block.

(This will try to serve the file “/var/www/piwik//piwik.js”, given the
above configuration.)

My question is: what kind of Nginx rule can I use to protect all files in
that directory, besides those two? Is it possible to do a negative regex
match on a location block?

It is usually simpler to use positive matching. The nginx “location”
rules usually let it be possible.

f

Francis D. [email protected]

lmm5247 · February 12, 2015, 10:12pm

(This will try to serve the file “/var/www/piwik//piwik.js”, given the
above configuration.)

Wow. I feel so dumb. That worked perfectly! Below is the config I’m
using to
turn off authentication for piwik.js as well as .php files.

location /analytics {
alias /var/www/piwik/;
auth_basic “Restricted”;
auth_basic_user_file /etc/nginx/pass;
try_files $uri $uri/ /index.php;
location = /analytics/piwik.js{
auth_basic off;
}
location ~* ^/analytics(.+.php)$ {
auth_basic off;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Thank you!!!

Posted at Nginx Forum: