auth_request and nested locations

djczaski djczaski at gmail.com
Tue Dec 11 11:52:46 UTC 2012


Thank you for the reply.

On Tue, Dec 11, 2012 at 3:28 AM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Mon, Dec 10, 2012 at 10:35:00PM -0500, djczaski wrote:
>
>> Except for a few exceptions, I want to require authentication for an
>> entire site.  The safest place would be to put the auth_request
>> directive at the http level but there's no way to allow the
>> exceptions. If I put the auth_request in locations I'll need to
>> repeat it multiple times and that seems less maintainable because the
>> chance of it getting missed when new services are added or changed. Is
>> there a decent way of structuring the config file for an auth portion
>> of a site and an un auth'd side?
>
> There are two basic aproaches:
>
> 1) Use "auth_request off" to switch off auth when needed:
>
>     auth_request /auth;
>
>     location / {
>         ...
>     }
>
>     location /no_auth_here/ {
>         auth_request off;
>     }

I didn't understand this was possible.  I figured the auth_request
from the http level was "evaluated" first before looking at lower
levels.  This is good to know.

> 2) Use nested locations for places which need auth, and
> explicitly configure locations without auth when needed:
>
>     location / {
>         auth_request /auth;
>
>         location /some_nested_location_with_auth/ {
>             ...
>         }
>     }
>
>     location /no_auth_here/ {
>         # no auth_request here
>     }

This style seems best, but I read a post from Igor that said you can
not use nested locations except with regular expressions:

    http://forum.nginx.org/read.php?2,174517,174534#msg-174534

Maybe I am miss understanding his statement.

Thanks.

> --
> Maxim Dounin
> http://nginx.com/support.html
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list