no basic auth from outside network
Steve
steeeeeveee at gmx.net
Mon May 21 01:30:12 UTC 2012
-------- Original-Nachricht --------
> Datum: Sun, 20 May 2012 18:58:53 -0400 (EDT)
> Von: "rattus" <nginx-forum at nginx.us>
> An: nginx at nginx.org
> Betreff: Re: no basic auth from outside network
> After further testing, it's not the basic auth that's causing the
> problem... it's simply trying to access subdirectories from outside.
> Makes me thing I've messed something up in my nginx.conf:
>
>
> worker_processes 1;
> events {
> worker_connections 64;
> }
> http {
> ssl_ciphers
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;
> ssl_prefer_server_ciphers on;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_session_timeout 5m;
>
> ## Timeouts
> keepalive_timeout 300 300;
>
> ## General Options
> charset utf-8;
> default_type application/octet-stream;
> ignore_invalid_headers on;
> types {
> text/html html;
> image/gif gif;
> image/jpeg jpg;
> }
> keepalive_requests 20;
> max_ranges 0;
> recursive_error_pages on;
> sendfile on;
> server_tokens off;
> source_charset utf-8;
>
> ## Request limits
> limit_req_zone $binary_remote_addr zone=fred:1m rate=60r/m;
>
> ## Compression
> gzip on;
> gzip_static on;
> gzip_vary on;
>
> ## Log Format
> log_format main '$remote_addr $host $remote_user [$time_local]
> "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
> $ssl_cipher $request_time';
>
> ## http .:. redirect to https
> server {
> access_log /var/log/nginx/access.log main buffer=32k;
> error_log /var/log/nginx/error.log error;
> expires 0;
> limit_req zone=fred burst=200 nodelay;
> listen 80;
> root /var/empty;
> rewrite ^ https://192.168.1.100$request_uri permanent;
>
Are you sure you want this rewrite to go from outside (aka: Internet) to an internal (aka: private network) address?
> }
>
> ## https .:. (www.)example.com
> server {
> add_header Cache-Control "public";
> add_header Strict-Transport-Security "max-age=315360000;
> includeSubdomains";
> access_log /var/log/nginx/access.log main buffer=32k;
> error_log /var/log/nginx/error.log error;
> expires max;
> index index.html;
> limit_req zone=fred burst=200 nodelay;
> listen 443;
> root /var/www/htdocs;
> server_name 192.168.1.100;
>
> ## Basic auth on test
> location / {
> }
>
> location ^~ /test/ {
> index index.html;
> auth_basic "Admin Login";
> auth_basic_user_file .htpasswd;
> }
>
> #!!! IMPORTANT !!! We need to hide the password file from prying
> eyes
> # This will deny access to any hidden file (beginning with a
> .period)
> location ~ /\. { deny all; }
>
> ## SSL Certs
> ssl on;
> ssl_session_cache shared:SSL:10m;
> ssl_certificate /home/root/ssl/test.crt;
> ssl_certificate_key /home/root/ssl/test.key;
> ssl_ecdh_curve secp521r1;
>
> ## Stop Image and Document Hijacking
> location ~* (\.jpg|\.gif|\.png|example\.css)$ {
> if ($http_referer !~ ^(https://192.168.1.100) ) {
> return 404;
> }
> }
>
> ## All other errors get the generic error page
> error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413
> 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507
> /error_page.html;
> location /example_error_page.html {
> internal;
> }
> }
> }
>
> ...again, it just hangs accessing subdirectories like "test", while
> everything works well from within the local network. The www root
> directory index.html serves up fine, even redirected to 443.
>
What? Are you telling that using your external IP (lets say it is 1.2.3.4) is working properly?
This here works from external? Really?
http://1.2.3.4/ will get redirected to https://192.168.1.100/
http://1.2.3.4/index.html will get redirected to https://192.168.1.100/index.html
You know that 192.168.0.0/16 is a class c private address range that is not routed on the Internet?
IMHO you should rewrite your http config to:
server {
....
rewrite ^ https://$host$request_uri permanent;
....
}
And IMHO you should change the server_name in the https part to be:
server_name 192.168.1.100 "";
> TIA,
>
> Mike
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,226665,226666#msg-226666
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
More information about the nginx
mailing list