auth_request off; ignored when combined with auth_basic;

Stian Øvrevåge sovrevage at
Fri Oct 13 05:47:11 UTC 2017

Hi list,

I have a server {} block that is protected with auth_request; on the top level.

auth_request is used for a interactive login process.

I have some endpoints that will receive data from other software, and
must instead be protected by auth_basic. However, "auth_request off;"
is ignored in these location{} blocks IF there is also a auth_basic
statement in the block.

This works without logging in:
       location /test/ {
          auth_request off;
          proxy_pass http://localhost:88/;

This is automatically redirected back to /security/ for login (as
defined by auth_request in server{} block.
       location /api/ {
          auth_request "off";
          auth_basic "Restricted access";
          auth_basic_user_file /etc/htpasswd;
          proxy_pass http://localhost:88/;

I see online references to a "satisfy any" directive that apparently
worked a few years ago, but it does not anymore, and others are
reporting similar problems:

Stian Øvrevåge

More information about the nginx mailing list