Combining Basic Authentication with Access Restriction by IP Address and auth_basic off

Ruslan Ermilov ru at nginx.com
Wed Jun 27 13:57:36 UTC 2018


On Wed, Jun 27, 2018 at 03:08:50PM +0200, basti wrote:
> Hello,
> I have a config like:
> 
> server {
> 
> ...
>   # combine basic auth and ip whitelisting
>   #
> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
>   satisfy any;
>   allow <my_static_IP>;
>   deny all;
> 
>   auth_basic "Restricted";
>   auth_basic_user_file /etc/nginx/nx4/.htpasswd;
> 
>   location /.well-known/acme-challenge/ {
>     auth_basic off;
>     default_type "text/plain";
>     alias /var/lib/dehydrated/acme-challenges/;
>   }
> }
> 
> But it seems not working.
> Access from allowed ip is fine, from all other get
> 
> 2018/06/27 14:54:12 [error] 1333#1333: *11176 access forbidden by rule,
> client: ...
> 
> nginx -v
> nginx version: nginx/1.10.3
> 
> Can anyone confirm this?

Since you have switched auth_basic off, the only enabled authentication
left is by client address, and your inherited configuration says it's
denied for everything except <my_static_IP>.  Put "allow all" into the
"location /.well-known/acme-challenge/" to have it working for all.


More information about the nginx mailing list