BasicAuth config question
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 25 17:23:01 UTC 2018
Hello!
On Thu, Oct 25, 2018 at 09:56:27AM -0700, pg151 at dev-mail.net wrote:
> If I define
>
> nginx.conf
> ...
> server {
> ...
> include includes/conf1.inc;
> include includes/conf2.inc;
> ...
> }
> ...
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
>
> cat includes/conf2.inc;
> location = /sec/status {
> auth_basic 'Secure Access';
> auth_basic_user_file /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays, as intended, a HTTP Basic Auth challenge.
>
> But, if I move the auth_basic* into the immediately prior config file,
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
> + location ~ ^/sec {
> + auth_basic 'Secure Access';
> + auth_basic_user_file /etc/nginx/sec/users;
> + }
>
> cat includes/conf2.inc;
> location = /sec/status {
> - auth_basic 'Secure Access';
> - auth_basic_user_file /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays server status immediately, WITHOUT any HTTP Basic Auth challenge.
>
> What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth challenge?
In your second config, auth_basic is only configured for location
"~ ^/sec", but not for location "= /sec/status". Since the request
to /sec/status is handled in the latter, auth_basic won't apply.
Note that location matching selects only one location to handle
a request. If there are many matching locations, most specific
will be used (see http://nginx.org/r/location for details).
If you want to configure auth_basic for anything under /sec/,
consider using nested prefix locations instead. For example:
location /sec/ {
auth_basic 'Secure Access';
auth_basic_user_file /etc/nginx/sec/users;
location = /sec/ {
deny all;
}
location = /sec/status {
stub_status on;
}
}
This way, auth_basic is inherited into all nested locations, and
will be configured in "location = /sec/status" as well.
Note well that "location ~ ^/sec" in your configuration will also
match requests to "/security", "/second-version", and so on. Most
likely this is not what you want, so the above example
configuration uses "/sec/" prefix instead.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list