Protect /analytics on Nginx with basic authentication, but allow access to .php and .js files?:S


Hey all,

Hope this is the right place to ask. I have Piwik setup and running on a Nginx webserver that I protected with HTTP basic authentication, as seen below.

        location /analytics {
        alias /var/www/piwik/;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/pass;
        try_files $uri $uri/ /index.php;

        location ~ ^/analytics(.+\.php)$ {
        alias /var/www/piwik$1;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

I have it protected, but it’s prompting to login on every page, due to the piwik.php and piwik.js files being in my protected directory, as described here.

If you use HTTP Authentication (Basic or Digest) on your Piwik files, you should exclude piwik.php and piwik.js from this authentication, or visitors on your website would be prompted with the authentication popup.

What kind of Nginx rule can I use to protect all files in that directory, besides those two? I found this for Apache using .htaccess, but it looks like Nginx has no equivalent. Is it possible to do a negative regex match on a location block?

Any help would be appreciated!

(Matthieu Aubry) #2

Hi there,

I’m not sure about your request, but have you seen this nginx piwik config project? GitHub - matomo-org/piwik-nginx: Nginx configuration for running Piwik


Hey Matt,

I have seen that but there is nothing there about using HTTP authentication. This may be something I need to ask on the Nginx forums. By the way, Piwik is a great product, please keep up the good work! :)-D



In case anyone else ever needs this, it’s resolved below.,256585,256630#msg-256630