BasicAuth config question

Maxim Dounin mdounin at mdounin.ru
Thu Oct 25 17:23:01 UTC 2018 

Hello!

On Thu, Oct 25, 2018 at 09:56:27AM -0700, pg151 at dev-mail.net wrote:

> If I define
> 
> 	nginx.conf
> 		...
> 		server {
> 			...
> 			include includes/conf1.inc;
> 			include includes/conf2.inc;
> 			...
> 		}
> 		...
> 
> 	cat includes/conf1.inc;
> 		location ~ ^/sec($|/$) {
> 			deny all;
> 		}
> 
> 	cat includes/conf2.inc;
> 		location = /sec/status {
> 			auth_basic 'Secure Access';
> 			auth_basic_user_file  /etc/nginx/sec/users;
> 			stub_status on;
> 		}
> 
> @ https://example.com/sec/status
> 
> displays, as intended, a HTTP Basic Auth challenge.
> 
> But, if I move the auth_basic* into the immediately prior config file,
> 
> 	cat includes/conf1.inc;
> 		location ~ ^/sec($|/$) {
> 			deny all;
> 		}
> +		location ~ ^/sec {
> +			auth_basic 'Secure Access';
> +			auth_basic_user_file  /etc/nginx/sec/users;
> +		}
> 
> 	cat includes/conf2.inc;
> 		location = /sec/status {
> -			auth_basic 'Secure Access';
> -			auth_basic_user_file  /etc/nginx/sec/users;
> 			stub_status on;
> 		}
> 
> @ https://example.com/sec/status
> 
> displays server status immediately, WITHOUT any HTTP Basic Auth challenge.
> 
> What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth challenge?

In your second config, auth_basic is only configured for location 
"~ ^/sec", but not for location "= /sec/status".  Since the request 
to /sec/status is handled in the latter, auth_basic won't apply.

Note that location matching selects only one location to handle 
a request.  If there are many matching locations, most specific 
will be used (see http://nginx.org/r/location for details).

If you want to configure auth_basic for anything under /sec/, 
consider using nested prefix locations instead.  For example:

    location /sec/ {
        auth_basic 'Secure Access';
        auth_basic_user_file /etc/nginx/sec/users;

        location = /sec/ {
            deny all;
        }

        location = /sec/status {
            stub_status on;
        }
    }

This way, auth_basic is inherited into all nested locations, and 
will be configured in "location = /sec/status" as well.

Note well that "location ~ ^/sec" in your configuration will also 
match requests to "/security", "/second-version", and so on.  Most 
likely this is not what you want, so the above example 
configuration uses "/sec/" prefix instead. 

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list