I had this issue as well, and the solution is to make sure your "allow / deny / auth" configuration block(s) always sit -above- your PHP & Static file configuration.
location ~* /admin {
auth_basic "Administrator Login";
auth_basic_user_file /path/to/.htpasswd
}
# Pass off php requests to Apache
location ~* \.php {
try_files $uri =404;
include /nginx/proxypass.conf;
proxy_pass http://127.0.0.1:80;
}
# Serve static files directly from nginx
location ~* \.(?:jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|html|htm|txt|css|js)$ {
expires 365d;
etag on;
}
location ~* /admin {
auth_basic "Administrator Login";
auth_basic_user_file /path/to/.htpasswd
}
# Pass off php requests to Apache
location ~* \.php {
try_files $uri =404;
include /nginx/proxypass.conf;
proxy_pass http://127.0.0.1:80;
}
# Serve static files directly from nginx
location ~* \.(?:jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|html|htm|txt|css|js)$ {
expires 365d;
etag on;
}