I have a Debian 12 server with Nginx and PHP8.2.
I have a Hugo Project in my folder. The Hugo project has an index.html. My goal is to create a password query via an index.php (which is loaded first). If I now call up a subfolder via a complete URL, the password query should also take place. All requests should therefore go to the index.php and only then be resolved.
File structure
/var/www/xyz/def/
├── de
├── ...
├── index.HTML
├── index.php
├── ...
I am currently trying to do this via session cookies in PHP. Since it is a minimal example, I have removed the CSS
index.php
<?php
session_start();
// User credentials
$users = [
'user1' => 'password123',
'user2' => 'secret456',
'user3' => 'admin789'
];
// Process login form
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
$_SESSION['loggedin'] = $username;
header('Location: ' . $_SERVER['REQUEST_URI']);
exit();
} else {
$error = 'Incorrect username or password';
}
}
// Check if user is logged in
if (!isset($_SESSION['loggedin'])) {
// Show login form
echo '<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login</title>
</head>
<body>
<div class="container">
<h2>Login</h2>';
if (isset($error)) {
echo '<p class="error">'.$error.'</p>';
}
echo '<form method="post" action="">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
<button type="submit">Login</button>
</form>
</div>
</body>
</html>';
exit();
}
// Serve the requested file if logged in
$request_uri = urldecode($_SERVER['REQUEST_URI']);
$file = __DIR__ . ($request_uri === '/' ? '/index.html' : $request_uri);
if (!file_exists($file) || !is_file($file)) {
header("HTTP/1.0 404 Not Found");
echo '404 Not Found';
exit();
}
readfile($file);
exit();
nginx config
server {
server_name xyz.de www.xyz.de;
root /var/www/xyz/def;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /.ht {
deny all;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.xyz.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = xyz.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name xyz.de www.xyz.de;
return 404; # managed by Certbot
}
Help
When I go to the root domain via the browser, it loads the PW query. However, if I access a URL in a deeper folder directly (e.g. via a direct link), it does not ask for a password. It also shows me a 403 or 404 after a login.
Is such an implementation even possible? The passwords are only set here as a minimum example.
Thank you for your help
I was hoping that NGINX and PHP would redirect all requests to inde.php and ask for a password. But that is not the case. As soon as you enter a subfolder via a link there is no more security