<div dir="ltr"><div>Thanks Reinis for the response and suggestions. <br></div><div><br></div><div>I made the changes and unfortunately couldn't make it work. Later realised that we are running a Nginx Controller in GKE env., So assuming that the restriction changes should be done at controller level and not in the Nginx (not very sure). <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 25, 2023 at 6:59 PM Reinis Rozitis <<a href="mailto:r@roze.lv">r@roze.lv</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _, request: "GET /auth/ HTTP/1.1", host: "<a href="http://my.domain.info" rel="noreferrer" target="_blank">http://my.domain.info</a>", referrer: "<a href="https://my.domain.info" rel="noreferrer" target="_blank">https://my.domain.info</a>"<br>
It seems that the rule is working but at some wrong place, I am not sure how to organise or set the right sequence here. <br>
<br>
<br>
Just from the log it seems correct - you have a rule to allow <a href="http://10.48.0.0/24" rel="noreferrer" target="_blank">10.48.0.0/24</a>; but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is just a single C subnet 10.48.0.1-254).<br>
<br>
Then again, your whole configuration would be simpler with just a single location block (since it doesn't seem you have an application which uses /auth without a trailing slash):<br>
<br>
location /auth/ {<br>
allow <a href="http://172.20.0.0/24" rel="noreferrer" target="_blank">172.20.0.0/24</a>;<br>
allow <a href="http://10.48.0.0/24" rel="noreferrer" target="_blank">10.48.0.0/24</a>;<br>
#allow vpn1.ip.here;<br>
allow vpn2.ip.here;<br>
deny all;<br>
proxy_pass <a href="http://127.0.0.1:8080" rel="noreferrer" target="_blank">http://127.0.0.1:8080</a>;<br>
auth_basic "Restricted area";<br>
auth_basic_user_file /etc/nginx/.htpasswd;<br>
}<br>
<br>
If you wanted to get the basic http auth for those who are not within allowed ip ranges you need to add 'satisfy any;' directive [1]<br>
<br>
Also:<br>
error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative uri not a full path in filesystem this is why nginx also returns 404 (as it can't find the error page) instead of 403 forbidden.<br>
<br>
If /usr/share/nginx/html is your default nginx webroot you can just specify:<br>
<br>
error_page 403 /403.html;<br>
<br>
If you store your error pages in different webroot add something like this:<br>
<br>
location /403.html {<br>
root /usr/share/nginx/html;<br>
}<br>
<br>
Also your attached configuration has duplicate 'location /' directives. Nginx should complain about invalid configuration. Are you sure you are testing correctly? <br>
<br>
[1] <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy</a> <br>
<br>
rr<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Regards,<div>Sandeep</div></div></div>