Explanation
With the simple Nginx config below, I am getting asked for Basic auth credentials at all endpoints including /graphql/ and /wp-content/, even though I have asked Nginx to specifically turn off auth for these locations. To make my regex game 'concrete' I configured a regex on the block that applies Basic auth to apply to everything EXCEPT /graphql/ or /wp-content/ with negative lookahead. Still, I am asked for auth on these URIs.
I have reduced the configuration while debugging (see below), and now only 3 location blocks are in use, and all of them are regex locations to completely rule out Nginx priority issues.
I have confirmed I am complying with the PCRE standard used by Nginx and validated these regex rules at https://regex101.com/.
Question
Auth is only applied in # Block 2 which explicitly excludes /graphql/ and /wp-content/, so why is Nginx still applying the logic from that block to those URIs?
Simplified Server Config
# Block 1
# Regex: Will ONLY match "/graphql/..." or "/wp-content/...".
location ~ ^\/(graphql|wp-content)\/.*$
{ auth_basic off; }
# Block 2
# Regex: Match root "/" with negative lookahead. Will NOT match "/graphql/..." or "/content/...".
location ~ ^\/(?!(graphql|wp-content)\/).*$
{ auth_basic "Halt!"; ... }
# Block 3
# Regex: Match all URIs that end ".php"
location ~ \.php$
{}
Edit
I updated the regex so it would match the complete URI string from start (^) to finish ($) in case Nginx takes this into account - no difference.
