Allow/Deny rules in Location block

[Reinis Rozitis]

> [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _, request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info", referrer: "https://my.domain.info"
It seems that the rule is working but at some wrong place, I am not sure how to organise or set the right sequence here.  


Just from the log it seems correct - you have a rule to allow 10.48.0.0/24; but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is just a single C subnet 10.48.0.1-254).

Then again, your whole configuration would be simpler with just a single location block (since it doesn't seem you have an application which uses /auth without a trailing slash):

     location /auth/ {
            allow 172.20.0.0/24;
            allow 10.48.0.0/24;
            #allow vpn1.ip.here;
            allow vpn2.ip.here;
            deny all;
            proxy_pass http://127.0.0.1:8080;
            auth_basic "Restricted area";
            auth_basic_user_file /etc/nginx/.htpasswd;
        }

If you wanted to get the basic http auth for those who are not within allowed ip ranges you need to add 'satisfy any;' directive [1]

Also:
error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative uri not a full path in filesystem this is why nginx also returns 404 (as it can't find the error page) instead of 403 forbidden.

If /usr/share/nginx/html is your default nginx webroot you can just specify:

error_page 403 /403.html;

If you store your error pages in different webroot add something like this:

location /403.html {
	root /usr/share/nginx/html;
}

Also your attached configuration has duplicate 'location /' directives. Nginx should complain about invalid configuration. Are you sure you are testing correctly?  

[1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy 

rr