I’ll introduce how to exclude specific URLs from Basic authentication in Nginx.

Configure satisfy any and allow all

To exclude specific locations from Nginx Basic authentication, write a configuration file like the following:

# /usr/local/nginx/conf/yourdomain.example.com.conf
server {
  listen               80;

  # Basic authentication settings
  auth_basic           "auth";
  auth_basic_user_file /path/to/.htpasswd;
  root                 /path/to/root;

  # Settings to exclude from Basic authentication
  location /path/to/exception {
    satisfy any;
    allow   all;
  }
}

Alternatively, you can take an approach where you write to a file called bypass_basic_auth_locations and include it as follows:

# bypass_basic_auth_locations
location /css {
    satisfy any;
    allow   all;
}
location /img {
    satisfy any;
    allow   all;
}
location /js {
    satisfy any;
    allow   all;
}

# /usr/local/nginx/conf/yourdomain.example.com.conf
server {
  listen               80;

  # Basic authentication settings
  auth_basic           "auth";
  auth_basic_user_file /path/to/.htpasswd;
  root                 /path/to/root;

  # Settings to exclude from Basic authentication
  include bypass_basic_auth_locations;
}

That’s all about excluding specific directories from Basic authentication in Nginx from the Gemba.

Reference Information

• [Linux] nginxでBasic認証を行う方法（CentOS） - YoheiM .NET
• nginx: 同じ configuration level で auth_basic off は指定できない - Sexually Knowing