I have nginx + php-fpm running on debian 6 and all is well.

However, I want to take www.example.com/wiki and password-protect it using basic auth. In apache, I'd drop in a .htaccess, but for nginx, I need to create a location rule.

I have this rule:

location ~ \.php$ {

but when I create this:

location ~ /wiki {
    auth_basic  "Restricted";
    auth_basic_user_file  /some/path/wiki.users;
  }

everything in /wiki breaks. I suspect what's happening is that nginx matches the first rule and never gets to the second. But a rule like this doesn't change things:

location ~ /wiki.*\.php$ {

Strangely, I see errors like this in the site's nginx's log:

2011/04/10 14:52:05 [error] 1826#0: *9 open() "/usr/local/nginx/html/
wiki/skins/common/images/poweredby_mediawiki_88x31.png" failed (2: No
such file or directory), client: x.x.x.x, server: example.org,
request: "GET /wiki/skins/common/images/poweredby_mediawiki_88x31.png
HTTP/1.1", host: "www.example.org", referrer: "http://www.example.org/
wiki/index.php?title=Main_Page"

...which makes no sense because the string '/usr/local/nginx' doesn't exist anywhere in /etc/nginx or /etc/php (grep -R -i), so where would php-fpm be picking that up from?

If I turn off auth_basic, everything works perfectly. But I need to password-protect some directories...so...how? I'm surprised it's this difficult when it's so easy in Apache.

Just a wild guess, but do you have your root set inside of a location block?

Yes.

At the moment, what I did was setup wiki.example.org separately from www.example.org as a separate site. Then I put the auth_basic and auth_basic_user_file in both the .php-matching location and the / location.

That works fine...I'm not sure what the 100% correct way to do this is, though.

Apache was easier...too bad it takes so much RAM

That's probably your problem. You need to move the root location into the server block. Otherwise you need to duplicate your php location matching block inside of the restricted block as you found out.