No authentication prompt with if block

Maxim Dounin mdounin at mdounin.ru
Sat Feb 8 21:05:28 UTC 2014


Hello!

On Sat, Feb 08, 2014 at 08:43:53AM -0800, Grant wrote:

> >> Authentication works fine if I don't include the if block but I'd like
> >> to allow only a certain user access to this server block.  I get a 403
> >> in the browser without any prompt for authentication.
> >>
> >> auth_basic "Authentication Required";
> >> auth_basic_user_file htpasswd;
> >> if ($remote_user != "myuser") {
> >>     return 403;
> >> }
> >>
> >> What am I doing wrong?
> >
> > Rewrite directives, including "if", are executed before access
> > checks (and hence auth_basic).  So in your cofiguration 403 is
> > returned before auth_basic has a chance to ask for authentication
> > by returning 401.
> >
> > Something like
> >
> >    map $remote_user $invalid_user {
> >        default      1;
> >        ""           0;
> >        "myuser"     0;
> >    }
> >
> >    if ($invalid_user) {
> >        return 403;
> >    }
> >
> >    auth_basic ...
> >
> > should work, as it will allow empty $remote_user and auth_basic
> > will be able to ask for authentication if credentials wasn't
> > supplied.
> 
> That works great, thank you.  Does adding 'map' slow the server down much?

No, not at all.  In contrast, using maps is usually faster than 
any other method to do conditional checks.  See docs at 
http://nginx.org/r/map, in particular this note:

: Since variables are evaluated only when they are used, the mere 
: declaration even of a large number of “map” variables does not add 
: any extra costs to request processing.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list