auth_request off; ignored when combined with auth_basic;

Maxim Dounin mdounin at mdounin.ru
Fri Oct 13 09:14:09 UTC 2017 

Hello!

On Fri, Oct 13, 2017 at 12:47:11AM -0500, Stian Øvrevåge wrote:

> Hi list,
> 
> I have a server {} block that is protected with auth_request; on the top level.
> 
> auth_request is used for a interactive login process.
> 
> I have some endpoints that will receive data from other software, and
> must instead be protected by auth_basic. However, "auth_request off;"
> is ignored in these location{} blocks IF there is also a auth_basic
> statement in the block.
> 
> This works without logging in:
>        location /test/ {
>           auth_request off;
>           proxy_pass http://localhost:88/;
>        }
> 
> This is automatically redirected back to /security/ for login (as
> defined by auth_request in server{} block.
>        location /api/ {
>           auth_request "off";
>           auth_basic "Restricted access";
>           auth_basic_user_file /etc/htpasswd;
>           proxy_pass http://localhost:88/;
>        }
> 
> I see online references to a "satisfy any" directive that apparently
> worked a few years ago, but it does not anymore, and others are
> reporting similar problems:
> https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic

Works fine here:

$ curl http://127.0.0.1:8080/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl http://127.0.0.1:8080/test/
ok
$ curl http://127.0.0.1:8080/api/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl --basic --user foo:foo http://127.0.0.1:8080/api/
ok

Just tested with the following configuration:

    server {
        listen 8080

        auth_request /auth;

        location / {
            proxy_pass http://localhost:8082;
        }

        location /test/ {
           auth_request off;
           proxy_pass http://localhost:8082;
        }

        location /api/ {
           auth_request "off";
           auth_basic "Restricted access";
           auth_basic_user_file /path/to/htpasswd;
           proxy_pass http://localhost:8082;
        }

        location = /auth {
            return 403;
        }
    }

    server {
        listen 8082;
        return 200 ok\n;
    }

Note that in the request to /api/, where auth_basic is configured, 
you have to request specify username and password, or the request 
will be rejected by auth_basic.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list