Combining Basic Authentication with Access Restriction by IP Address and auth_basic off
Ruslan Ermilov
ru at nginx.com
Wed Jun 27 13:57:36 UTC 2018
On Wed, Jun 27, 2018 at 03:08:50PM +0200, basti wrote:
> Hello,
> I have a config like:
>
> server {
>
> ...
> # combine basic auth and ip whitelisting
> #
> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
> satisfy any;
> allow <my_static_IP>;
> deny all;
>
> auth_basic "Restricted";
> auth_basic_user_file /etc/nginx/nx4/.htpasswd;
>
> location /.well-known/acme-challenge/ {
> auth_basic off;
> default_type "text/plain";
> alias /var/lib/dehydrated/acme-challenges/;
> }
> }
>
> But it seems not working.
> Access from allowed ip is fine, from all other get
>
> 2018/06/27 14:54:12 [error] 1333#1333: *11176 access forbidden by rule,
> client: ...
>
> nginx -v
> nginx version: nginx/1.10.3
>
> Can anyone confirm this?
Since you have switched auth_basic off, the only enabled authentication
left is by client address, and your inherited configuration says it's
denied for everything except <my_static_IP>. Put "allow all" into the
"location /.well-known/acme-challenge/" to have it working for all.
More information about the nginx
mailing list