Support

Admin Tools

#30392 nginx configuration maker tuning

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by toonetcreation on Monday, 29 October 2018 08:38 CDT

toonetcreation
Hi,

I'm doing some tests on my website after adding file generated by nginx configuration maker.

I have 2 issues :

1) when I go to https://www.mywebsite.com , URL displayed is https://www.mywebsite.com/index.php

how to remove the index.php at the end of the URL ?

2) I cannot access anymore to my administrator area (I have an Administrator secret URL parameter), I am always redirected to ! https://www.mywebsite.com/administrator/index.php


Thanks for your help
L.

tampe125
Akeeba Staff
Hello,

  1. You can easily do that inside the NginX maker, please turn on the option Redirect index.php to the site's root
  2. What do you mean with that? When you submit the login form you are redirected to the same login form again? If so, that's not an Admin Tools issue, but this is caused by a Joomla configuration error. Please edit your configuration.php file and remove any value for the options cookie_domain and cookie_path

Davide Tampellini

Developer and Support Staff

๐Ÿ‡ฎ๐Ÿ‡นItalian: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: good โ€ข ๐Ÿ• My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
hi,

thanks for your feedback.
my comments below :

1) I cannot see this option into my NginX maker.
could you please send me a screenshot?

2) I mean when I type for example https://www.mywebsite.com/administrator_with_my_secret_parameters, then I am redirected to https://www.mywebsite.com/administrator/index.php

I have checked Cookie Domain and Cookie Path and they are empty.

thanks
L.

toonetcreation
I think issue is coming from these lines :

# Allow access to the back-end index.php file

location = /administrator/index.php {

fastcgi_pass 127.0.0.1:9000;

break;

}

location ~* ^/administrator$ {

return 301 /administrator/index.php;

}

location ~* ^/administrator/$ {

return 301 /administrator/index.php;

}



# Disable access to everything else.

location ~* /administrator.*$ {

# If it is a file, directory or symlink and I haven't deliberately

# enabled access to it, forbid any access to it!

if (-e $request_filename) {

return 403;

}

# In any other case, just treat as a SEF URL

try_files $uri $uri/ /administrator/index.php?$args;

}


And also, I had to comment these lines..If no, website is not displayed :

# Disable access to everything else.

#location ~* ^/.*$ {

# If it is a file, directory or symlink and I haven't deliberately

# enabled access to it, forbid any access to it!

#if (-e $request_filename) {

#return 403;

#}

# In any other case, just treat as a SEF URL

#try_files $uri $uri/ /index.php?$args;

#}

toonetcreation
For point 1) when I go to https://www.mywebsite.com , URL displayed is https://www.mywebsite.com/index.php works fine when I comment these lines :

# Allow access to /

#location ~* ^/$ {

# return 301 /index.php;

#}


But still have issue for point 2)

nicholas
Akeeba Staff
Manager
You MUST give the correct block of commands which tell NginX to treat a file as a PHP script in the "fastcgi_pass code block setting (read the documentation)" option. These are different on every server, that's why this is a configurable block. You seem to be using the default and I'm not sure it works in your case.

Regarding your comments.

1. Yes, such an option does not exist. This feature only exists in .htaccess Maker. Davide was mistaken. You cannot really fix that in NginX without causing some servers to stop serving the site. Remember that NginX Conf Maker creates a configuration which has to be customized for each server because of how NginX works.

2. You are actually using the wrong URL.
  • https://www.example.com/administrator/?secret -- THIS IS WRONG
  • https://www.example.com/administrator?secret -- THIS IS WRONG
  • https://www.example.com/administrator/index.php?secret -- THIS IS THE RIGHT WAY TO DO IT

This is also documented. Remember that your site's backend is not a magical place that appears on the back of a unicorn. It is displayed when your web server executes the index.php file inside your site's administrator. Same goes for the frontend of the site. It's the index.php file in the site's root.

If you want to protect the backend and frontend of your site from arbitrary file access you need to whitelist the index.php files which are executed. The way Joomla! SEF and NginX work you must include the index.php file when accessing the root and /administrator of your site, otherwise the block rules take precedence. Any other SEF URL is, in fact, access to a non-existent file or folder which is being magically handled by the index.php file. This trick cannot be applied to an existing folder such as your site's root or administrator.

What you did is wrong. You removed the frontend and backend protection completely, completely beating the purpose of using the NginX Conf Maker. You might just as well use not use it at all in this case.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

nicholas
Akeeba Staff
Manager
In case I was not clear: what you want to do cannot be done. What must be done:

- Do not modify the generated code. By doing so you undo the protection, making it pointless.
- Do use index.php for accessing both the public site and administrator

If you do not want to use index.php you cannot have the frontend or backend protection which means that there's no point using the NginX Conf Maker.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Hello Nicholas,

Many thanks for all these details.
My fault I have


1) so in contrary to apache configuration where URL website is https://www.example.com , with Nginx the URL is always like this https://www.example.com/index.php .. correct ?

2) ok about admin URL this is my fault (I missed the right section on documentation), I see now the good link is https://www.example.com/administrator/index.php?secret

3) is it normal that Referrer Policy Header setting is not displayed into Optimisation and utility section ?

4) on my websites, I'm not using fastcgi_pass 127.0.0.1:9000; directive, I'm using unix socket.
so about fastcgi_pass code block setting (read the documentation) setting, I have added this :

try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;


this is fine for you?
because when I test my admin page with this link https://www.example.com/administrator/index.php?secret I get a blank page ?
For info , for this test, I have not modified code generated by nginx maker.

nicholas
Akeeba Staff
Manager
Thank you for your JED review! We are humbled by the kind words. Thank you very much!

1. Yes. I have tried finding a better solution but that's the best I can come up with right now. I am adding a to-do to take a look at it when I have some more time next week. I can't promise any miracles though :)

2. OK :)

3. I think the current version has a problem with language strings missing for this feature. You should still see the drop-down but without any human readable language strings for the label and the drop-down contents. I apologise for that. Something got botched in a feature merge.

4. Yup. That does look good. I guess you use Ubuntu Server (or Debian) with the stock NginX + PHP 7.2 FPM packages :)

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
About JED review! I think this is normal to say the truth ;-)
Today, unfortunately, people complain about anything but never or rarely say when it works ... and I think it's important to say when things are going well.
Your work is amazing so it's important to say that ;-)

About comments

1) ok no problem, this is a small detail, not so much important

2) ok

3) the same, I see what you mean no problem.

4) yes I'm using latest debian release with FPM packages.but very weird because I get a blank page when I go to my admin area with this link https://www.example.com/administrator/index.php?secret

I have loaded nginx maker code into a specific file on my nginx conf (see in red below).
I did a mistake?

server {

listen 80;

listen [::]:80;

server_name example.com;

return 301 https://www.$host$request_uri;

}



server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name www.example.com example.com;

root /var/www/example.com;

index index.html index.htm index.php;



access_log /var/log/nginx/example.access_log;

error_log /var/log/nginx/example.error_log info;



location ~ \.php$ {

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}



#location /administrator {

# try_files $uri $uri/ =404;

# auth_basic "Authentification needed";

# auth_basic_user_file /var/www/example.com/administrator/.htpasswd;

#}



include /etc/nginx/conf/example.conf;

include /etc/nginx/conf/joomla.conf;



ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;



include /etc/nginx/conf/ssl.conf;

}

toonetcreation
just for info I have read and tried this, as said in documentation :

Tip

Some servers do not work with http://www.example.com/administrator?test due to their configuration. You may want to try using http://www.example.com/administrator/?test (add a slash right before the question mark) or http://www.example.com/administrator/index.php?test (add /index.php right before the question mark). One of them is bound to work on your server. Unfortunately, there is no way to know which ones will work on your server except for trying them out. The first one (http://www.example.com/administrator?test) works on 95% of servers and that's what we recommend trying out first.


previously, on this website running on apache, this link was working :

https://www.example.com/administrator?secret

now, with the same website running on nginx, those links does not work :

- with https://www.example.com/administrator/index.php?secret => I get a blank page with the same URL

- with https://www.example.com/administrator?secret => I am redirected to https://www.example.com/administrator/index.php and I get a blank page

- with https://www.example.com/administrator/?secret => I am redirected to https://www.example.com/administrator/index.php and I get a blank page

nicholas
Akeeba Staff
Manager
I cannot reproduce this on Ubuntu Server 18.04 LTS using the stock NginX and Apache FPM. I did have to modify the "fastcgi_pass code block setting (read the documentation)" option and I did not include Joomla's stock NginX configuration (as documented in docs.joomla.org) since Admin Tools' NginX Conf Maker supersedes that.

So, please do let me comment on the two things I understand you are doing wrong.

The PHP passthrough code you added in "fastcgi_pass code block setting (read the documentation)" seems to be wrong according to the rest of your configuration file that you posted in your last reply. In short, you need to include the stuff that's inside the location ~ \.php$ block WITHOUT the opening "location ~ \.php$ {" and closing "}". In other words, in your case it is:

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;


If you get that code wrong you will get either a blank page or a 502 gateway error. Or, if you truly screw it up, you will be downloading the raw PHP source code instead of having it executed.

IF YOU ARE NOT 100% SURE DO NOT ASK ME TO TELL YOU WHAT IS CORRECT AND WHAT IS WRONG. I HAVE NOT SET UP YOUR SERVER. I CANNOT GUESS RELIABLY HOW YOUR SERVER IS SET UP. IF THAT WAS POSSIBLE IT WOULD BE A FEATURE IN ADMIN TOOLS ITSELF. WHEN IN DOUBT ALWAYS ALWAYS ALWAYS ALWAYS ALWAYS ALWAYS ALWAYS ALWAYS ALWAYS ASK THE PERSON WHO SET UP YOUR SERVER. THEY ARE THE ONE AND ONLY PERSON IN THE ENTIRE UNIVERSE WHO CAN TELL YOU WITHIN ANY DEGREE OF ACCURACY WHAT YOU NEED TO PUT IN AN NginX location BLOCK TO HAVE A .php FILE PASS-THROUGH, i.e. EXECUTE THAT PHP FILE AS A SCRIPT AND STOP PROCESSING ANY OTHER NGINX CONFIGURATION STATEMENTS.

Sorry for the all caps, bold and red color but this is VERY important. You have already asked me twice to verify what you used. What you used LOOKS right to me BUT I have not set up YOUR server. The last thing you used is the same thing I was using in my Ubuntu 16.04 server. My Ubuntu 18.04 server, however, needed something entirely different. Again, it's absolutely important to ask the person who set up your server how your NginX installation can be coerced to run a .php file as script instead of doing something else with it. And yeah, everyone is using PHP-FPM with NginX (it's the only way, actually) but how exactly it is set up and where you have the configuration file (and their includes, if any) is 100% up to the person configuring the server. That's why I am insisting that you need to ask the person who set up your server.

Finally and very importantly, you are including the file /etc/nginx/conf/joomla.conf. I suppose that this is the file Joomla mentions in the https://docs.joomla.org/Nginx documentation page. Do not do that. This WILL break your site in the way that you describe your site is broken. Admin Tools' NginX Conf Maker supersedes Joomla's NginX configuration in the same way Admin Tools' .htaccess Maker supersedes Joomla's built-in .htaccess file. Comment out that line.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
1) just for me, to understand correctly, what do you mean by : "...I did not include Joomla's stock NginX configuration (as documented in docs.joomla.org) since Admin Tools' NginX Conf Maker supersedes that."

this means the code below is not necessary as you have already included it into fastcgi_pass code block setting (read the documentation) option ?

location ~ \.php$ {

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}



2) there is no other person who has set up the server, I did it by myself but only for tests. this server is not a production server of course. as I know apache but a little bit less Nginx, that's why I'm making some tests on another server ;-) (not for customers)

3) I have added the entire code you told me and works fine now. admin area is reacheable here : https://www.example.com/administrator/index.php?secret
so as I said in point 1) :

code below is not necessary as it's already included into fastcgi_pass code block setting (read the documentation) option ?

location ~ \.php$ {

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}



4) About the file the file /etc/nginx/conf/joomla.conf, here is the content for the moment...was just for tests. But as you said I can comment this line ? or move it?

# caching of files

location ~* \.(ico|pdf|flv)$ {

expires 1y;

}

# static files

location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {

expires 14d;

}

modsecurity on;

modsecurity_rules_file /etc/nginx/modsec/main.conf;

nicholas
Akeeba Staff
Manager
1. Read the very last paragraph of my previous reply.

2. Then you should be aware that what you are looking for is inside the location block for PHP files, as I explained it before the red text :)

3. DO NOT REMOVE THAT CODE. This is the catch-all for all .php file. It's required.

4. The only lines you should keep are:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;


See #1 for the explanation.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Ok for all understood.

last info : do you think this directive is necessary ? because not working at all.

location /administrator {

try_files $uri $uri/ =404;

auth_basic "Authentification needed";

auth_basic_user_file /var/www/example.com/administrator/.htpasswd;

}

nicholas
Akeeba Staff
Manager
No, if you try to do that you are breaking the backend protection. You'd have to edit the generated configuration by Admin Tools to include this kind of directive.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
ok so the best way is to edit the generated configuration by Admin Tools to include this kind of directive or remove completely .htpasswd password protection ? because with apache works fine :-/

toonetcreation
Also, sorry if this is a stupid question but : what is the interest / the aim to provide an htpasswd protection feature for admin area on apache and not for nginx ?

nicholas
Akeeba Staff
Manager
Do not edit the file generated by NginX Conf Maker. Edit the host configuration file in your /etc/nginx folder. Put that code after the include line which includes the file generated by the NginX Conf Maker.

As for your other question, not to put too fine a point on it, the Administrator Password Protection is a trivial feature. We include it for the benefit of newbies and non-technical people who are too afraid to create a simple .htaccess file themselves because they find it daunting, scary or complicated. Very clearly, if you are using NginX you are way past that point. Therefore you know at least enough to do this yourself.

Moreover, Apache is more conducive in creating features for non-technical people because .htaccess files are read and parsed on every single request. You just need to know which folder to put the file in. No further modification to the server configuration is necessary.

NginX is different. There is no equivalent file. Such a feature would require you to include some code in your host configuration and then restart the server. I don't see a point of writing a feature which will create a two-liner for you, something you can find easily by searching online for "nginx password protect directory". It adds nothing to the process to make it easier on you. It's a useless feature. I don't like useless features.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Ok I undestand your point of view.
Yes I have not modified file generated by Nginw maker.

For info , even If add the code below after the include line which includes the file generated by the NginX Conf Maker, does not work..no authentification asked.

location /administrator {



try_files $uri $uri/ =404;



auth_basic "Authentification needed";



auth_basic_user_file /var/www/example.com/administrator/.htpasswd;



}

toonetcreation
also, if I disable the file generated by the NginX Conf Maker, and If I test again, works fine.

nicholas
Akeeba Staff
Manager
Right. Because we already have a location /administrator in the generated code. If moving it before the include doesn't help the only thing you can do is edit the generated configuration.

NginX is designed to serve files fast, not to be configured easily :(

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Yes I see perfectly.

And as you said, It's better to not modify the generated configuration....so maybe would be better to not use .htpasswd protection?

toonetcreation
as now everything seems to be ok, I have started the tests with the file generated by nginx maker.

and unfortunately the website is broken...so I started reading this documentation : https://www.akeebabackup.com/documentation/admin-tools/nginx-server-protection.html

and also, I did a comparison with settings enabled on apache configuration, because if the website is running under apache, there is no reason that it does not work under nginx with the same settings.

when I go to website home page, on chrome console I get a lot of lines like this :

Failed to load resource: the server responded with a status of 403 (Forbidden)

marche-dominical-mauzac-04.jpg:1 Failed to load resource: the server responded with a status of 403 (Forbidden)

index.php:1212 Uncaught ReferenceError: jQuery is not defined at index.php:1212

marche-dominical-mauzac-05.jpg:1 Failed to load resource: the server responded with a status of 403 (Forbidden)



I don't understand why I get these errors, because as documentation said, I have added folders and files exceptions.
and these settings are exactly the same as apache, where it's working fine :-/
see attached file to see settings.

do you have an idea?

nicholas
Akeeba Staff
Manager
As I don't know the URLs being blocked, just seeing the options is not very useful. I can, however, point you to what I'd be checking.

Have you restarted NginX? The changes won't take before you do that.

Disable front-end and back-end protection. Restart NginX. Does that help? If not, you have a problem with file/folder ownership and permissions.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
yes nginx has been restarted systematically after every modification.

I have tested with Frontend protection option disabled and same problem.

here is the link : http://test2.toonetcreation.com

toonetcreation
see attached file to see files/folders permissions...

toonetcreation
I have tested the same website on a real domain and not a subdomain like this sub.domain.com and works fine.
see here : https://www.ljmconsulting.fr

I don't understand why?

toonetcreation
also , If I add the 2 red lines below into nginx maker generated file, should be ok for you?

# Allow access to the back-end index.php file

location = /administrator/index.php {

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

auth_basic "Authentification needed";


auth_basic_user_file /var/www/example.com/administrator/.htpasswd;


break;

}

nicholas
Akeeba Staff
Manager
If disabling the front-end and back-end protection has no effect the problem is outside the scope of Admin Tools. Sorry, I can't help with generic NginX configuration. It's confusing as it is to configure a server I have full control over. It's nigh impossible doing so over a ticket :( You definitely need to check the permissions and ownership of everything: files/folders, PHP-FPM (if you're using a socket), NginX itself. You also need to check what is the difference in your site setup between the subdomain and the site. Is it possible that you have done something wrong with the way you map folders to URL paths?

Regarding the two lines in red, their location looks wrong. You need a location /administrator (not /administrator/index.php) if you want to protect the entire backend folder.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
1) I see and I understand. but permissions and ownership are fine, I have alreadt checked :-/
this thing which is very weird, is the difference between domain and sub-domain
because website content is the same (a simple copy/paste) but with different URL behavior is not the same :-(

https://www.ljmconsulting.fr = works

http://test2.toonetcreation.com = does not work

2) about red lines, I have updated the file like this : in red my lines and in green lines generated by admin tools.
but now with this configuration :

- the URL https://www.example.com/administrator?secret prompt me to type password

- this URL https://www.example.com/administrator/index.php?secret is directly available without password protection

# Allow access to the back-end index.php file



location = /administrator {


auth_basic "Authentification needed";


auth_basic_user_file /var/www/example.com/administrator/.htpasswd;


}




location = /administrator/index.php {


fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;


fastcgi_index index.php;


include /etc/nginx/fastcgi_params;


fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;


break;


}

toonetcreation
about point 1) seems to be solved ;-).. I have done a new permission propagation and seems to be ok now...strange because I already did it.

need just point 2)

nicholas
Akeeba Staff
Manager
That's because your location is an exact match, not a partial match. Please read https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms#matching-location-blocks

What you are looking for is something like this (UNTESTED!):
location ~ /administrator {
  try_files index.php
  auth_basic "Authentification needed";
  auth_basic_user_file /var/www/example.com/administrator/.htpasswd;
}

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Ok I will have a look.
So from your point of view it's better to add this code on my vhost file or on file generated by nginx maker?

toonetcreation
I have done some tests this works fine.
Now with this URL https://www.example.fr/administrator/index.php?secret I get promptpassword message.

Conf is below in red...like this admin tools protection should not be borken right?

server {

listen 80;

listen [::]:80;

server_name example.fr;

return 301 https://www.$host$request_uri;

}



server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name www.example.fr example.fr;

root /var/www/example/;

index index.html index.htm index.php;



access_log /var/log/nginx/example.access_log;

error_log /var/log/nginx/example.error_log info;



location ~ \.php$ {

fastcgi_pass unix:/var/run/php/php7.2-fpm-example.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}



include /etc/nginx/conf/example.conf;



location ^~ /administrator {


#try_files index.php


auth_basic "Authentification needed";


auth_basic_user_file /var/www/administrator/.htpasswd;


}




include /etc/nginx/conf/joomla.conf;



ssl_certificate /etc/letsencrypt/live/example.fr/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.fr/privkey.pem;

ssl_trusted_certificate /etc/letsencrypt/live/example.fr/chain.pem;



include /etc/nginx/conf/ssl.conf;

}

nicholas
Akeeba Staff
Manager
I believe that should work. As I said, I haven't actually tested it :)

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
Yes of course you cannot test.
but I mean, if this works, admin tools protection will not be broken?

toonetcreation
I have done some tests with directive added in nginx vhost conf (see red lines on my previous post).

These 2 following URL are working :

https://www.example.fr/administrator/index.php?secret

https://www.example.fr/administrator?secret


I get the screen to type user /password.... but :

1) is it normal ?

2) if yes, there is no problem about admin tools protection? will not be broken?

thanks

nicholas
Akeeba Staff
Manager
No, it's not broken.

The popup to enter a username and password comes from your browser because your server sent an Authorization Required HTTP response code WITHOUT loading your site. This last bit is important. This is why you are adding the password protection in the first place.

After you enter a username and password the browser will retry the request. This time it will send a Basic Authentication header with it. If your server deems it's correct then and only then will it continue serving the request. Only at this point Joomla and Admin Tools loads and Admin Tools gets the chance to check your secret URL parameter.

Since the two protections are separate layers you can of course apply them both at the same time.

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
ok so htpasswd block (see in red on previous reply) is correctly added after this line /etc/nginx/conf/example.conf; ?

nicholas
Akeeba Staff
Manager
Does it work? Then it is correct.

Does it NOT work? Then it's not correct.

Simple :)

Nicholas K. Dionysopoulos

Lead Developer and Director

๐Ÿ‡ฌ๐Ÿ‡ทGreek: native ๐Ÿ‡ฌ๐Ÿ‡งEnglish: excellent ๐Ÿ‡ซ๐Ÿ‡ทFrench: basic โ€ข ๐Ÿ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

toonetcreation
no works fine ..was just to confirme ;-)

many thanks again for your help and your advice.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!