Enforcing authentication requests for all resources under specific path

Jan Wrobel wrr at mixedbit.org
Thu Mar 29 14:32:32 UTC 2012


I'm working on an application independent authentication and
authorization layer that utilizes nginx with auth request module. The
two are working great for me, but I run into an issue that I don't
know how to solve, maybe you can help?

Is there a way to enforce auth requests for all resources under a
specific path? Say I want to protect all resources in /protected:

location /protected/ {
            auth_request /auth/is_authenticated/;
            error_page 403 /auth/login/;
            error_page 401 /auth/noauthorized/;

This works but only until more specific location is added:

location /protected/blog {

Which, due to location matching rules, takes precedence over the
'/protected' location, and auth requests for blog are not issued.

Is there any way around it other than repeating auth_request
configuration for each location?

I can think of two solutions, but each has quite substantial limitations:
1. configure auth_request in server {} section, but this authorizes
all requests, not only ones in '/protected'
2. Run separate nginx instance configured to do authorization only and
passing all allowed requests downstream. This would introduce
additional performance and maintenance overhead.

Is there any better way?


More information about the nginx mailing list