Closed CyberCr33p closed 6 years ago
erikdubbelboer
commented
9 years ago How do you know this commit is causing this issue?
The only thing the commit does is not doing the authentication step for nginx internal redirects.
Your PHP script (which is super insecure and allows anyone to execute any command on your server) has nothing to do with internal nginx redirects so I think it's highly unlikely this commit breaks it.
CyberCr33p
commented
9 years ago Dear Erik,
Thank you for you reply.
I know it because if I use a nginx-http-auth-digest version before this commit then it works. Also if I use the latest version and remove this commit code then it works too.
On this vhost I have also this:
location / {
rewrite ^(.*)$ /cgi-bin/awstats.pl last;
} Maybe this cause the issue? But without the rewrite Awstats will not work.
PHP runs with php-fpm with separate user per hosting account. And this PHP script is allowed to run only for awstats path.
CyberCr33p
commented
9 years ago If I change it to redirect then it works:
location / {
rewrite ^(.*)$ /cgi-bin/awstats.pl redirect;
}Do you think there is a reason to omit authentication for rewrites?
erikdubbelboer
commented
9 years ago So if I understand correctly you only have the authentication setup on the /cgi-bin/awstats.pl path and not the other urls? Can I see your whole nginx config (or at least the parts related to this).
Then this would all make sense as the first request doesn't check for any authentication and the rewrite does an internal redirect which makes nginx-http-auth-digest ignore it. Using an actual HTTP redirect would make the browser do a new request for the url with authentication which makes that work.
Awstats is a perl script called from this cgi-bin.php file:
http://pastebin.com/raw.php?i=EPpRmpYT
The commit "omit the access check only when the internal request" breaks Awstats authentication and makes it to not ask for a user/pass.
Can you please remove this commit?