Satistfy any not working as expected
Maxim Dounin
mdounin at mdounin.ru
Tue May 19 19:16:45 UTC 2015
Hello!
On Tue, May 19, 2015 at 02:20:39PM -0400, Arno0x0x wrote:
> Hi Maxim,
>
> Thanks for your answer. I'm actually using a proper URI in the auth_request
> parameter and the PHP script works fine
> (https://github.com/Arno0x/TwoFactorAuth), my example was dumb.
>
> For the records, here's what I did to make it work exactly as I expect:
> simply remove the "deny all;" statement.
>
> As a result :
> - Any local network IP gets a straight access
> - Any other IP has to go through the auth_request
>
> This makes sense to me as a "satisfy any" coupled with a "deny all;" would
> always match "all" and refuse access.
>
> Not sure why all configuration examples we can find on the web mention the
> "deny all;" statement, but this fails for me.
The "deny all;" statement shouldn't change anything. With "satisfy
any;" access is allowed as long as one of the modules allows
access, and restrictions imposed by other modules are ignored.
The idea is that you configure several independent access checks
and then combine them: either with AND ("satisfy all", all checks
have to succeed) or with OR ("satisfy any", any successful check
is sufficient).
Simple config for testing:
server {
listen 8080;
satisfy any;
deny all;
auth_request /auth;
location / {
# index.html expected under root
}
location = /auth {
return 204;
}
}
If removing "deny all;" works for you, it means that you are
testing something wrong. In particular, make sure that the config
you are testing is actually loaded, it does contain "satisfy
any", and it's not overwritten somewhere in locations.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list