nginx config: multiple locations, authentication in one, triggered for both?

Maxim Dounin mdounin at mdounin.ru
Mon Nov 7 10:25:26 UTC 2011 

Hello!

On Mon, Nov 07, 2011 at 03:48:53AM -0500, roger.moffatt wrote:

> I originally posted this question on SO, but it might of course be more
> logical to ask here;
> 
> http://stackoverflow.com/questions/8031471/nginx-location-directive-authentication-happening-in-wrong-location-block
> 
> I'm flummoxed.
> 
> I have a server that is primarily running couchdb over ssl (using nginx
> to proxy the ssl connection) but also has to serve some apache stuff.
> 
> Basically I want everything that DOESN'T start /www to be sent to the
> couchdb backend. If a url DOES start /www then it should be mapped to
> the local apache server on port 8080.
> 
> My config below works with the exception that I'm getting prompted for
> authentication on the /www paths as well. I'm a bit more used to
> configuring Apache than nginx, so I suspect I'm mis-understanding
> something, but if anyone can see what is wrong from my configuration
> (below) I'd be most grateful.
> 
> To clarify my use scenario;
> 
> https://my-domain.com/www/script.cgi should be proxied to
> http://localhost:8080/script.cgi
> https://my-domain.com/anythingelse should be proxied to
> http://localhost:5984/anythingelse
> 
> ONLY the second should require authentication. It is the authentication
> issue that is causing problems - as I mentioned, I am being challenged
> on https://my-domain.com/www/anything as well :-(

Most likely, the authentication request appears due to your 
browser doing automatic requests to /favicon.ico or something 
like.  Try adding

    location = /favicon.ico {
        return 404;
    }

to see if it helps.

> 
> Here's the config, thanks for any insight.
> 
> server {
>         listen   443;
>         ssl on;
> 
>         # Any url starting /www needs to be mapped to the root
>         # of the back end application server on 8080
> 
>         location ^~ /www/ {
>         proxy_pass http://localhost:8080/;
>         proxy_redirect off;
>         proxy_set_header Host $host;
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> 
>         }
> 
>         # Everything else has to be sent to the couchdb server running
> on
>         # port 5984 and for security, this is protected with auth_basic
>         # authentication.
> 
>         location / {
> 
>         auth_basic "Restricted";
>         auth_basic_user_file /path-to-passwords;
> 
>         proxy_pass http://localhost:5984;
>         proxy_redirect off;
>         proxy_set_header Host $host;
>         proxy_set_header X-Real-IP $remote_addr;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         proxy_set_header X-Forwarded-Ssl on;
> 
>         }
>     }
> 
> Thanks for some pointers - I'm not sure how I can resolve this
> correctly.

Config looks correct and should work.  Try testing it by hand 
(e.g. nc/telnet/fetch/wget/curl) to see if it actually works.  See 
above for a possible cause of the authentication request.

Maxim Dounin

More information about the nginx mailing list