auth_request off; ignored when combined with auth_basic;
Stian Øvrevåge
sovrevage at gmail.com
Fri Oct 13 16:14:45 UTC 2017
Thanks a bunch. When still being redirected now I found the culprit:
location @error401 {
return 302 /security/;
}
Which of course will redirect before auth basic will work.
Thanks again and pardon my ignorance :o
Br,
Stian
On 13 October 2017 at 04:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Fri, Oct 13, 2017 at 12:47:11AM -0500, Stian Øvrevåge wrote:
>
>> Hi list,
>>
>> I have a server {} block that is protected with auth_request; on the top level.
>>
>> auth_request is used for a interactive login process.
>>
>> I have some endpoints that will receive data from other software, and
>> must instead be protected by auth_basic. However, "auth_request off;"
>> is ignored in these location{} blocks IF there is also a auth_basic
>> statement in the block.
>>
>> This works without logging in:
>> location /test/ {
>> auth_request off;
>> proxy_pass http://localhost:88/;
>> }
>>
>> This is automatically redirected back to /security/ for login (as
>> defined by auth_request in server{} block.
>> location /api/ {
>> auth_request "off";
>> auth_basic "Restricted access";
>> auth_basic_user_file /etc/htpasswd;
>> proxy_pass http://localhost:88/;
>> }
>>
>> I see online references to a "satisfy any" directive that apparently
>> worked a few years ago, but it does not anymore, and others are
>> reporting similar problems:
>> https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic
>
> Works fine here:
>
> $ curl http://127.0.0.1:8080/
> <html>
> <head><title>403 Forbidden</title></head>
> <body bgcolor="white">
> <center><h1>403 Forbidden</h1></center>
> <hr><center>nginx/1.13.7</center>
> </body>
> </html>
> $ curl http://127.0.0.1:8080/test/
> ok
> $ curl http://127.0.0.1:8080/api/
> <html>
> <head><title>401 Authorization Required</title></head>
> <body bgcolor="white">
> <center><h1>401 Authorization Required</h1></center>
> <hr><center>nginx/1.13.7</center>
> </body>
> </html>
> $ curl --basic --user foo:foo http://127.0.0.1:8080/api/
> ok
>
> Just tested with the following configuration:
>
> server {
> listen 8080
>
> auth_request /auth;
>
> location / {
> proxy_pass http://localhost:8082;
> }
>
> location /test/ {
> auth_request off;
> proxy_pass http://localhost:8082;
> }
>
> location /api/ {
> auth_request "off";
> auth_basic "Restricted access";
> auth_basic_user_file /path/to/htpasswd;
> proxy_pass http://localhost:8082;
> }
>
> location = /auth {
> return 403;
> }
> }
>
> server {
> listen 8082;
> return 200 ok\n;
> }
>
> Note that in the request to /api/, where auth_basic is configured,
> you have to request specify username and password, or the request
> will be rejected by auth_basic.
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list