<!DOCTYPE html><html><body><div dir="auto">```<br>location / {<br>        proxy_pass $forward_auth_target;<br><br>        allow xxxxx/24;<br>        deny all;<br><br>        satisfy any; # This gets satisfied by the IP check, and auth is completely bypassed<br><br>        auth_basic "xxxx";<br>        auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass";<br><br>        auth_request     /outpost.goauthentik.io/auth/nginx;<br>        error_page       401 = @goauthentik_proxy_signin;<br><br>        auth_request_set $auth_cookie $upstream_http_set_cookie;<br>        add_header       Set-Cookie $auth_cookie;<br>        proxy_set_header X-authentik-username $authentik_username;<br><br>        auth_request_set $authentik_username $upstream_http_x_authentik_username;<br>        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;<br>        proxy_set_header X-authentik-groups $authentik_groups;<br><br>        auth_request_set $authentik_email $upstream_http_x_authentik_email;<br>        proxy_set_header X-authentik-email $authentik_email;<br><br>        auth_request_set $authentik_name $upstream_http_x_authentik_name;<br>        proxy_set_header X-authentik-name $authentik_name;<br><br>        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;<br>        proxy_set_header X-authentik-uid $authentik_uid;<br><br>        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;<br>        proxy_set_header X-authentik-uid $authentik_uid;<br><br>        auth_request_set $authentik_auth $upstream_http_authorization;<br>        proxy_set_header Authorization $authentik_auth;<br>}<br><br>location /outpost.goauthentik.io {<br>        proxy_pass              <a href="http://xxxx/outpost.goauthentik.io;">http://xxxx/outpost.goauthentik.io;</a><br>        proxy_set_header        Host $host;<br>        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;<br>        add_header              Set-Cookie $auth_cookie;<br>        auth_request_set        $auth_cookie $upstream_http_set_cookie;<br>        proxy_pass_request_body off;<br>        proxy_set_header        Content-Length "";<br>        proxy_ssl_verify off;<br>}<br><br>location @goauthentik_proxy_signin {<br>        internal;<br>        add_header Set-Cookie $auth_cookie;<br>        return 302 /outpost.goauthentik.io/start?rd=$request_uri;<br>}<br>```<br>The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs.<br><br>When I disable the IP check it works flawlessly. How could I separate these requirements?<br><br>So (SSO or Basic Auth) and Correct IP</div></body></html>