Error code 500

[jessie-github]

Very interesting project.

I tried the code with Piwigo 2.8.2 on Debian Stable (Jessie) with Nginx 1.9.10.
The nginx is coming from package nginx-extras on Debian Stable which is supposed to have auth_request:

nginx version: nginx/1.9.10
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=/build/nginx-1.9.10/debian/modules/headers-more-nginx-module --add-module=/build/nginx-1.9.10/debian/modules/nginx-auth-pam --add-module=/build/nginx-1.9.10/debian/modules/nginx-cache-purge --add-module=/build/nginx-1.9.10/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-1.9.10/debian/modules/nginx-development-kit --add-module=/build/nginx-1.9.10/debian/modules/nginx-echo --add-module=/build/nginx-1.9.10/debian/modules/ngx-fancyindex --add-module=/build/nginx-1.9.10/debian/modules/nginx-http-push --add-module=/build/nginx-1.9.10/debian/modules/nginx-lua --add-module=/build/nginx-1.9.10/debian/modules/nginx-upload-progress --add-module=/build/nginx-1.9.10/debian/modules/nginx-upstream-fair --add-module=/build/nginx-1.9.10/debian/modules/ngx_http_substitutions_filter_module

Here is my nginx conf file for piwigo:

upstream php5-fpm-sock-piwigo {
    server unix:/var/run/php5-fpm-piwigo.sock;
}

server {
    listen 80;
    server_name example.com;

    # Let's Encrypt Challenge
    include mixins/certbot.conf;

    location / {
        return 301 https://$http_host$request_uri;
    }
}


server {
    listen 443 ssl http2;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/localcerts/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    # HSTS
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    server_name example.com;
    location /robots.txt {
       add_header Content-Type text/plain;
       return 200 "User-agent: *\nDisallow: /\n";
    }

    location / {
        auth_basic "Restricted";
        auth_basic_user_file htpasswd;

        access_log      /var/log/nginx/piwigo.access.log;
        error_log       /var/log/nginx/piwigo.error.log;

        root /var/www/piwigo;
        index index.php;
        client_max_body_size 0;
        location ~* \.php$ {
            fastcgi_pass php5-fpm-sock-piwigo;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            include fastcgi_params;
        }

        location = /auth.php {
            fastcgi_pass php5-fpm-sock-piwigo;
            fastcgi_index auth.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            include fastcgi_params;
        }

        location /upload {
            auth_request /auth.php;
            auth_request_set $auth_redirect '/default.png';
            error_page 401 = /auth_401;
        }

        location /_data/i {
            auth_request /auth.php;
            auth_request_set $auth_redirect '/default.png';
            error_page 401 = /auth_401;
        }

        location = /auth_401 {
            if ($auth_redirect) {
                return 302 $auth_redirect;
            }
           return 401;
        }
    }
}

Even when I am logged in, access to the pictures are denied.
In Nginx log files I can see:

2016/09/25 02:46:56 [error] 14591#14591: *12 auth request unexpected status: 400 while sending to client, client: x.x.x.x, server: example.com, request: "GET /_data/i/galleries/test/IMG_20160521_160356738-cu_s9999x200.jpg HTTP/2.0", host: "example.com", referrer: "https://example.com/index.php?/category/1"

Perhaps is it because I am using HTTP Basic Authentication ?
However I would not like my test web site to be publicly available before securing it.

Can you help me debug this ?

Thanks

[yonjah]

@jessie-github The file path your trying to access doesn't seem like any one I saw when I
was using Piwigo.
How did you upload the file ?
Do you use some special plugin ?
How do you access it ?

[jessie-github]

I used the official FTP-upload to /var/www/piwigo/galleries:
http://piwigo.org/doc/doku.php?id=user_documentation:learn:add_picture#by_ftp
After that I had to use the 'Synchronise' Piwigo tool to make these pictures availables.
Thumbnails are generated in /var/www/piwigo/_data/i/galleries.

No special plugins are necessary.

After that an album is generated and I can access it the regular way?

Thanks

[yonjah]

I'll have to see when I have the time to look into it a bit more.

When you upload a file the regular way it gets a very specific path format so it's easier to find
the DB record from the path.
But with ftp uploads the files do not follow this format.
It might still be possible to to strip the derivative prefix and get the real file path for a DB search but it will require some testing and might be fragile

[yonjah]

@jessie-github I rewrote most of the logic and implemented this inside piwigo plugin.
it is still not on the master branch but you can check it out here -
https://github.com/yonjah/piwigo_privacy/tree/plugin-alpha

This should solve this issue but my persona use of piwigo is very basic so I might missed some edge cases