Search code examples
amazon-web-servicesnginxamazon-ec2basic-authenticationamazon-elb

disabling basic auth on certain endpoints in nginx conf file does not work

I am attempting to disable basic authentication for certain endpoints on my website, as some third-party services send requests to the site.

I have two EC2 instances and an Application Load Balancer (ALB) behind them. This is my nginx configuration file. As you can see, I have enabled authentication in the server block and disabled it for certain endpoints. However, when I try to access certain endpoints, such as https://website.domain/api/providers/bgaming/rollback, I am still prompted to enter a username and password, when I should not be.

upstream fpm_backend {
    server unix:/run/php/php8.1-fpm.sock;

    keepalive 256;
}

server {
    listen 80 default_server;
    server_name _;

    root /home/xxxx/xxxx/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    error_page 404 /index.php;
    
    auth_basic "Restricted access";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /api/provider/aleaplay/callback/transactions {
        auth_basic off;
    }
    location /api/provider/aleaplay/callback/players/ {
        auth_basic off;
    }
    location /callback {
        auth_basic off;
    }
    location /api/providers/bgaming/play {
        auth_basic off;
    }
    location /api/providers/bgaming/rollback {
        auth_basic off;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    location /web.config {
        return 404;
    }

    location ~ \.php$ {
        fastcgi_pass fpm_backend;
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    client_max_body_size 20M;
}
Solution

  • Looking at your configuration, everything ends up being handled by the root index.php file. The /index.php URI is handled by the location ~ \.php$ block and requires authentication.

    To disable authentication for /api/providers/bgaming/rollback, you will need to use auth_basic off and handle the entire request within the same location block.

    For example:

    location ^~ /api/providers/bgaming/rollback {
    auth_basic off;

    try_files /index.php =404;

    fastcgi_pass fpm_backend;
    include fastcgi_params;
 }

    The ^~ operator causes this location to take precedence (which is probably not required in this particular case). The try_files statement changes the request to index.php but as it is not the last parameter, the request continues to be handled within the same location block. The final two statements processes the request as a PHP file.