Satistfy any not working as expected

Maxim Dounin mdounin at mdounin.ru
Mon May 18 12:44:44 UTC 2015


Hello!

On Mon, May 18, 2015 at 04:48:40AM -0400, Arno0x0x wrote:

> Hi,
> 
> I'm facing an issue using the "satisfy any" directive. What I'm trying to
> achieve is quite simple:
> - have an auth_request directive protecting the entire website (hence set at
> the server level in the config file)
> - have no such authentication for the local network
> 
> I've put the following lines in my nginx config file, under the 'server'
> directive:
> 
> ----------------------------
> server {
> 
> satisfy any;
> allow 192.168.0.0/24;
> deny all;
> 
> auth_request /path/to/authRequestScript.php;
> [...]
> }
> ----------------------------
> 
> Although that works well for the local network (ie: no authentication
> required anymore), I get a "403 Forbidden" message when I'm connecting from
> the outside network where I would expect the usual authentication mecanism
> to be triggered.
> 
> All the exemples I found rely on the "location /" directive, but I'd like it
> to be at the server level.
> 
> What am I doing wrong ?

There is no real difference between configuring this at location 
or at server level - as long as requests to 
"/path/to/authRequestScript.php" are properly handled.  In your 
case, "403 Forbidden" suggests they aren't handled properly - this 
may happen, e.g., because you incorrecly specified URI (note that 
the parameter of auth_request is URI, not file path), or because 
the php script isn't properly run, or because the script itself 
does a wrong thing.  The error log may have some details for you, 
try looking into it.

Note well that if you want "the usual authentication mecanism", 
then auth_request is probably not for you, and you should use 
auth_basic instead, see here:

http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

The auth request module is only needed when you want to code some 
custom authentication yourself.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list