我添加了一个作为“cgi-bin”的 PHP 脚本,
配置:
location ~^/cgi-bin/.*\.(cgi|pl|py|rb) {
gzip off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index cgi-bin.php;
fastcgi_param SCRIPT_FILENAME /etc/nginx/cgi-bin.php;
fastcgi_param SCRIPT_NAME /cgi-bin/cgi-bin.php;
fastcgi_param X_SCRIPT_FILENAME /usr/lib/$fastcgi_script_name;
fastcgi_param X_SCRIPT_NAME $fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_USER $remote_user;
}
PHP 脚本:
<?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a file to write to
);
$newenv = $_SERVER;
$newenv["SCRIPT_FILENAME"] = $_SERVER["X_SCRIPT_FILENAME"];
$newenv["SCRIPT_NAME"] = $_SERVER["X_SCRIPT_NAME"];
if (is_executable($_SERVER["X_SCRIPT_FILENAME"])) {
$process = proc_open($_SERVER["X_SCRIPT_FILENAME"], $descriptorspec, $pipes, NULL, $newenv);
if (is_resource($process)) {
fclose($pipes[0]);
$head = fgets($pipes[1]);
while (strcmp($head, "\n")) {
header($head);
$head = fgets($pipes[1]);
}
fpassthru($pipes[1]);
fclose($pipes[1]);
fclose($pipes[2]);
$return_value = proc_close($process);
}
else {
header("Status: 500 Internal Server Error");
echo("Internal Server Error");
}
}
else {
header("Status: 404 Page Not Found");
echo("Page Not Found");
}
?>
问题在于我无法添加基本身份验证。
一旦我启用它,location ~/cgi-bin当我尝试查找它时,它会给我一个 404 错误。
我该如何解决这个问题?
我考虑过将访问限制在我的第二台服务器上,然后在那里通过代理添加基本身份验证,但一定有一个更简单的解决方案。
抱歉,标题不好,我想不出更好的了。
编辑:我的解决方案,感谢WerkkreWs 答案,最后看起来像这样:
cgi-bin.conf:
location ~^/.*\.(cgi|pl|p<|rb) {
[...]
}
虚拟主机.conf:
server {
[...]
location ~^/cgi-bin {
auth_basic "Restricted";
auth_basic_user_file htusers;
include cgi-bin.conf;
}
[...]
}
这可能是不安全的,因为 cgi-bin.conf 可能会被意外包含在服务器标签中(从而使每个客户端能够在每个位置执行脚本),但由于我只使用一次,所以我将坚持使用这个解决方案。
答案1
我相信你的问题可能已经得到解答这里但我会尝试描述我认为的问题所在。
首先,顺便说一下,您应该考虑将所有 fastcgi 参数放在 nginx 可访问的配置文件中以方便使用(例如 /etc/nginx/conf.d/fastcgi_params)。
其次,根据您如何设置 auth 与 php 部分的位置块,您可能需要指示 nginx 如何在受保护的位置第二次处理 php 文件,或者确保 auth_basic 指令与您上面粘贴的位置块位于同一位置块中,例如(取自前面提到的帖子):
server {
listen 80;
server_name my-awesome-php.site;
root /path/to/root;
# Normal files (blank location is OK, just means serve from root)
location / { }
# PHP for normal stuff
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
# The protected location
location /protected {
auth_basic "Give me codes.";
auth_basic_user_file /path/to/.htpasswd;
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
}
}
在我个人安装的 nginx 中,我使用的是 php-fpm,而且我的 php 脚本不限于 cgi-bin,因此我的配置完全不同,但它可能会为您提供一些额外的见解。我的基本身份验证工作正常,我想您也期望如此,尽管在下面的示例中,整个 vhost 都在基本身份验证之下,而不仅仅是一个文件夹:
fastcgi_params
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
基于服务器/主机的身份验证示例(删除了不相关的部分)
server {
server_name dev.foo.com;
error_log /app/www/dev.foo.com/logs/error.log error;
root /app/www/dev.foo.com/htdocs;
index index.php index.html;
auth_basic "Secret Files";
auth_basic_user_file /app/www/dev.foo.com/conf/htpasswd;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/foo.com.sock;
}
location ~ /\.ht {
deny all;
}
}
基于位置的身份验证示例(删除了不相关的部分)
server {
server_name foo.com;
error_log /app/www/foo.com/logs/error.log error;
root /app/www/foo.com/htdocs;
index index.php index.html;
location /protected {
auth_basic "Secret Files";
auth_basic_user_file /app/www/foo.com/conf/htpasswd;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/foo.com.sock;
}
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/foo.com.sock;
}
location ~ /\.ht {
deny all;
}
}