Top Nav

Archive | Webservers

.htaccess – negative file type match

Here’s an example of how to block all files extensions not listed in the regular expression:

 

0

Disable OPTIONS method in NGINX

To disable the OPTIONS method in Nginx add the following config:

The result can be tested with curl:

 

1

Disable Basic Auth For Virtual Path On Plesk

In a recent case we needed to allow request to a particular virtual URL path on a site that was password protected with HTTP Basic Auth. The site was hosted on a Linux server with Plesk, nginx and Apache.  Typically this problem is solved by adding a “Satisfy Any” to the .htaccess in the directory that you want to remove authentication. But this does not work if the path is virtual instead of a physical directory path. Additionally we needed to allow access for a list of IP addresses. We tried an number of different solutions and ended up with the following:

Step 1 – The HTTP Basic Auth and IP access controls are configured in the .htaccess file like this:

Step 2 – In Plesk under:

Add the following block:

where “/excluded/path” is the virtual URL to be allowed access and “x.x.x.x” is the IP address assigned to the site.

When a request comes is received, nginx looks for the path and adds the AUTH_OVERRIDE header. Then the request is passed to Apache which processes the .htaccess file. The AUTH_OVERRIDE header is converted to an “AUTH_REQUEST” environment variable and allow without authentication by the “allow from env=” rule.

There may be better ways to accomplish this solution but this is one that we successfully implemented.

 

 

0

Test CORS with curl

Is your CDN returning the proper CORS headers? One way to test is with curl. Here’s a simple CORS request:

You should get a successful response that includes and “Access-Control-Allow-Origin” header.

And here’s a pre-flight request:

You should get a successful response that includes and “Access-Control-Allow-Origin”, “Access-Control-Allow-Methods”, and “Access-Control-Allow-Headers” headers.

0

Mixing Basic Auth And IP Access Controls

In some cases you might want to require HTTP Basic authentication to a site but allow specific IP addresses to skip the username/password. For Apache this can be configured with:

For nginx the configuration is:

 

 

 

0