Symfony2 Nginx auth_basic config don't open web assests

Question

I'm developing a project using Symfony2, Nginx.

Project is located in my subdomain like developing_site.mysite.com.

I'd like to restrict access to this subdomain without authentication. Not only to dev and config files, but also to production.

So i added auth_basic component to nginx config file in location/ sector in nginx config that is recommended by symfony official web site. As a result, before page loading server asks authentication and loads everything except for any files stores in /web directory like images, js, css and so on. As a result, there is all content processed by .php but without any style and dynamic functionality.

So how can i resolve this issue? What i'm doing wrong?

Nginx config looks like this:

server {

listen {MyServerIp};
server_name developing_site.mysite.com;

root /var/www/developing_site/web;
index index.php index.html index.htm;

location / {
    try_files $uri /app.php$is_args$args;
    auth_basic "Restricted Content";
    auth_basic_user_file var/www/developing_site/.lock/.htpasswd;
}

# DEV
# This rule should only be placed on your development environment
# In production, don't include this and don't deploy app_dev.php or config.php
location ~ ^/(app_dev|config)\.php(/|$) {
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    # When you are using symlinks to link the document root to the
    # current version of your application, you should pass the real
    # application path instead of the path to the symlink to PHP
    # FPM.
    # Otherwise, PHP's OPcache may not properly detect changes to
    # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
    # for more information).
    fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
}
# PROD
location ~ ^/app\.php(/|$) {
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    # When you are using symlinks to link the document root to the
    # current version of your application, you should pass the real
    # application path instead of the path to the symlink to PHP
    # FPM.
    # Otherwise, PHP's OPcache may not properly detect changes to
    # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
    # for more information).
    fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    # Prevents URIs that include the front controller. This will 404:
    # http://domain.tld/app.php/some-path
    # Remove the internal directive to allow URIs like this
    internal;
}

error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}

Answer 1

I resolved the issue by myself..

Two mistakes:

1. syntactic mistake
2. incorrect place of auth_basic block

The syntactic mistake is in var/www/developing_site/.lock/.htpasswd; . I used relative link instead of absolute. Correct form is /var/www/developing_site/.lock/.htpasswd; (sorry for that...)

When I've placed auth_basic block in location/ I've set authentication only to / location that in fact processes all /web requests... (/web requests wasn't processed because of 1-st mistake...)

Main symfony requests are processed by location ~ ^/(app_dev|config)\\.php(/|$) block in nginx config file.

Solution: To restrict any requests to any files of developing_site.mysite.com without authentication, auth_basic block should be place before any location blocks.

So the correct nginx config should looks like this:

server {

listen MyServerIp;
server_name developing_site.mysite.com;

auth_basic "Unauthorized";
auth_basic_user_file /var/www/.lock/.htpasswd;

root /var/www/developing_site/web;
index index.php index.html index.htm;

location / {
    try_files $uri /app.php$is_args$args;
}

# DEV
# This rule should only be placed on your development environment
# In production, don't include this and don't deploy app_dev.php or config.php
location ~ ^/(app_dev|config)\.php(/|$) {
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    # When you are using symlinks to link the document root to the
    # current version of your application, you should pass the real
    # application path instead of the path to the symlink to PHP
    # FPM.
    # Otherwise, PHP's OPcache may not properly detect changes to
    # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
    # for more information).
    fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
}
# PROD
location ~ ^/app\.php(/|$) {
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    # When you are using symlinks to link the document root to the
    # current version of your application, you should pass the real
    # application path instead of the path to the symlink to PHP
    # FPM.
    # Otherwise, PHP's OPcache may not properly detect changes to
    # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
    # for more information).
    fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    # Prevents URIs that include the front controller. This will 404:
    # http://domain.tld/app.php/some-path
    # Remove the internal directive to allow URIs like this
    internal;
}

error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}