NGINX - Why can I bypass password authentication?

Question

I have a NGINX server and I use Apache-utility's for password requirement (.htpasswd). It MOSTLY works fine. The following this work fine:

example.com/admin
example.com/admin/
example.com/admin/index

but... When I type example.com/admin/index.php and don't type any password at all and press "abort" the server show's the index.php (without any CSS or JS files). I think my PHP-FPM is the problem. Please take a look:

location / {
    try_files $uri $uri.html $uri/ @extensionless-php;
    index index.html index.htm index.php;
}

location @extensionless-php {
    rewrite ^(.*)$ $1.php last;
}

location /admin {
    auth_basic "Restricted";
    auth_basic_user_file /admin/.htpasswd;
}

location ~ \.php$ {
    fastcgi_pass            127.0.0.1:9000;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$
}

Answer 1

Just looking at the last two locations in your question:

location ^~ /admin {
    auth_basic "Restricted";
    auth_basic_user_file /admin/.htpasswd;

    location ~ \.php$ {
        fastcgi_pass  127.0.0.1:9000;
        include       fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

location ~ \.php$ {
    fastcgi_pass  127.0.0.1:9000;
    include       fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Adding the ^~ modifier makes the location ^~ /admin block take precedence over the other regex blocks (specifically the existing location ~ \.php$ block). So the authentication rules are uniformly applied to any URI beginning with /admin. See this document for details.

To avoid breaking PHP, the location ~ \.php$ block is duplicated within the location ^~ /admin block to process URIs that begin with /admin and end with .php.