Awstats authentication #2
Comments
|
How do you know this commit is causing this issue? The only thing the commit does is not doing the authentication step for nginx internal redirects. Your PHP script (which is super insecure and allows anyone to execute any command on your server) has nothing to do with internal nginx redirects so I think it's highly unlikely this commit breaks it. |
|
Dear Erik, Thank you for you reply. I know it because if I use a nginx-http-auth-digest version before this commit then it works. Also if I use the latest version and remove this commit code then it works too. On this vhost I have also this: Maybe this cause the issue? But without the rewrite Awstats will not work. PHP runs with php-fpm with separate user per hosting account. And this PHP script is allowed to run only for awstats path. |
|
If I change it to redirect then it works: Do you think there is a reason to omit authentication for rewrites? |
|
So if I understand correctly you only have the authentication setup on the Then this would all make sense as the first request doesn't check for any authentication and the rewrite does an internal redirect which makes nginx-http-auth-digest ignore it. Using an actual HTTP redirect would make the browser do a new request for the url with authentication which makes that work. |
Awstats is a perl script called from this cgi-bin.php file:
http://pastebin.com/raw.php?i=EPpRmpYT
The commit "omit the access check only when the internal request" breaks Awstats authentication and makes it to not ask for a user/pass.
Can you please remove this commit?
The text was updated successfully, but these errors were encountered: