Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Binho's avatar
Binho
OP
5 years ago
Level 12

HTTP Authentication - Authorization Required on API calls

Hello,

I put an HTTP Authorization on my server and it always worked. Recently i changed the subdomain and now I can access to the login page but when I'm trying to send an API call for the login, I receive an "401 Authorization Required" response and I don't know why.

I tried many different configurations but I'm still stuck. Can you help me on this topic please ?

Please find below my conf. Many thanks for your precious help

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/staging.mysite.io/before/*;

map $sent_http_content_type $expires {
    "text/html"                 epoch;
    "text/html; charset=utf-8"  epoch;
    default                     off;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name subdomain.staging.mysite.io;
    root /home/forge/staging.mysite.io/;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/staging.mysite.io/xxxxxx/server.crt;
    ssl_certificate_key /etc/nginx/ssl/staging.mysite.io/xxxxxx/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    gzip            on;
    gzip_types      text/plain application/xml text/css application/javascript;
    gzip_min_length 1000;

    # FORGE CONFIG (DOT NOT REMOVE!)
    include forge-conf/staging.mysite.io/server/*;

    location / {
        expires $expires;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_redirect              off;
        proxy_read_timeout          1m;
        proxy_connect_timeout       1m;
        proxy_pass                          http://127.0.0.1:3000; # set the address of the Node.js
        
        auth_basic "Staff Only";
        auth_basic_user_file "/home/forge/staging.mysite.io/.htpasswd";
    }
    
    access_log off;
    error_log  /var/log/nginx/staging.mysite.io-error.log error;
    
    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/staging.mysite.io/after/*;
0 likes
5 replies
guybrush_threepwood's avatar

Hi @binho

I have very little experience with nginx configuration, but have you tried disabling auth_basic for the API routes?

For example:

location /api {
       auth_basic off;
}

I also believe the server_name is incorrect. It says:

    server_name subdomain.staging.mysite.io;

Shouldn't it be?

    server_name staging.mysite.io;

As an alternative, Laravel 8 allows you to bypass maintenance mode by specifying a secret key (this is supported by Forge): https://laravel.com/docs/8.x/configuration#bypassing-maintenance-mode

Regards.

1 like
Binho's avatar
Binho
OP
5 years ago
Level 12

Hi @guybrush_threepwood,

Many thanks for your help. I change the server name with the following to allow subdomains and it's working

server_name .staging.mysite.io;

I also tried disabling auth_basic for the API routes but now I have a "404 Not Found" error when I'm calling my API.

Unfortunately I cannot use your alternative with maintenance mode as my front web site is a Nuxt project so I cannot launch "php artisan down" command.

Many thanks for your help

1 like
guybrush_threepwood's avatar
guybrush_threepwood
5 years ago
Best Answer
Level 33

You're welcome @binho

I'm guessing that has something to do with the proxy_pass option. Have you tried setting that for the API location?

For example:

location / {
        expires $expires;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_redirect              off;
        proxy_read_timeout          1m;
        proxy_connect_timeout       1m;
        proxy_pass                          http://127.0.0.1:3000; # set the address of the Node.js
        
        auth_basic "Staff Only";
        auth_basic_user_file "/home/forge/staging.mysite.io/.htpasswd";
    }

location /api/ {
        expires $expires;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_redirect              off;
        proxy_read_timeout          1m;
        proxy_connect_timeout       1m;
        proxy_pass                          http://127.0.0.1:3000; # set the address of the Node.js
        
        auth_basic off;
    }
1 like

Please or to participate in this conversation.