Satistfy any not working as expected

Maxim Dounin mdounin at
Tue May 19 19:16:45 UTC 2015


On Tue, May 19, 2015 at 02:20:39PM -0400, Arno0x0x wrote:

> Hi Maxim,
> Thanks for your answer. I'm actually using a proper URI in the auth_request
> parameter and the PHP script works fine
> (, my example was dumb.
> For the records, here's what I did to make it work exactly as I expect:
> simply remove the "deny all;" statement.
> As a result :
> - Any local network IP gets a straight access
> - Any other IP has to go through the auth_request
> This makes sense to me as a "satisfy any" coupled with a "deny all;" would
> always match "all" and refuse access.
> Not sure why all configuration examples we can find on the web mention the
> "deny all;" statement, but this fails for me.

The "deny all;" statement shouldn't change anything.  With "satisfy 
any;" access is allowed as long as one of the modules allows 
access, and restrictions imposed by other modules are ignored.

The idea is that you configure several independent access checks 
and then combine them: either with AND ("satisfy all", all checks 
have to succeed) or with OR ("satisfy any", any successful check 
is sufficient).

Simple config for testing:

    server {
        listen 8080;

        satisfy any;
        deny all;
        auth_request /auth;

        location / {
            # index.html expected under root

        location = /auth {
            return 204;

If removing "deny all;" works for you, it means that you are 
testing something wrong.  In particular, make sure that the config 
you are testing is actually loaded, it does contain "satisfy 
any", and it's not overwritten somewhere in locations.

Maxim Dounin

More information about the nginx mailing list