Enforcing authentication requests for all resources under specific path
Igor Sysoev
igor at sysoev.ru
Thu Mar 29 14:44:30 UTC 2012
On Thu, Mar 29, 2012 at 04:32:32PM +0200, Jan Wrobel wrote:
> Hi,
>
> I'm working on an application independent authentication and
> authorization layer that utilizes nginx with auth request module. The
> two are working great for me, but I run into an issue that I don't
> know how to solve, maybe you can help?
>
> Is there a way to enforce auth requests for all resources under a
> specific path? Say I want to protect all resources in /protected:
>
> location /protected/ {
> auth_request /auth/is_authenticated/;
> error_page 403 /auth/login/;
> error_page 401 /auth/noauthorized/;
> }
>
> This works but only until more specific location is added:
>
> location /protected/blog {
> #....
> }
>
> Which, due to location matching rules, takes precedence over the
> '/protected' location, and auth requests for blog are not issued.
>
> Is there any way around it other than repeating auth_request
> configuration for each location?
>
> I can think of two solutions, but each has quite substantial limitations:
> 1. configure auth_request in server {} section, but this authorizes
> all requests, not only ones in '/protected'
> 2. Run separate nginx instance configured to do authorization only and
> passing all allowed requests downstream. This would introduce
> additional performance and maintenance overhead.
>
> Is there any better way?
I believe the best way to configure is to set explicitly necessery
directives in all locations where they are required. This leads to
maintainable configuration.
--
Igor Sysoev
More information about the nginx
mailing list