Enforcing authentication requests for all resources under specific path

Igor Sysoev igor at sysoev.ru
Thu Mar 29 14:44:30 UTC 2012

On Thu, Mar 29, 2012 at 04:32:32PM +0200, Jan Wrobel wrote:
> Hi,
> I'm working on an application independent authentication and
> authorization layer that utilizes nginx with auth request module. The
> two are working great for me, but I run into an issue that I don't
> know how to solve, maybe you can help?
> Is there a way to enforce auth requests for all resources under a
> specific path? Say I want to protect all resources in /protected:
> location /protected/ {
>             auth_request /auth/is_authenticated/;
>             error_page 403 /auth/login/;
>             error_page 401 /auth/noauthorized/;
> }
> This works but only until more specific location is added:
> location /protected/blog {
>   #....
> }
> Which, due to location matching rules, takes precedence over the
> '/protected' location, and auth requests for blog are not issued.
> Is there any way around it other than repeating auth_request
> configuration for each location?
> I can think of two solutions, but each has quite substantial limitations:
> 1. configure auth_request in server {} section, but this authorizes
> all requests, not only ones in '/protected'
> 2. Run separate nginx instance configured to do authorization only and
> passing all allowed requests downstream. This would introduce
> additional performance and maintenance overhead.
> Is there any better way?

I believe the best way to configure is to set explicitly necessery
directives in all locations where they are required. This leads to
maintainable configuration.

Igor Sysoev

More information about the nginx mailing list