limit_except - require trusted ip AND auth vs. ip OR auth

[Matthias Müller]

I would like to constrain HTTP access (PUT, POST) to an NGINX server
for specific locations.

There are two cases:

1) Permit POST, PUT if the request matches a trusted IP address OR
Basic auth credentials (either-or)
2) Permit POST, PUT if the request matches a trusted IP address AND
Basic auth credentials (must match both)


The configuration for (2) is appended. But how can I achieve (1)? It
seems that "satisfy any" cannot be included with "limit_except".

-Matthias


Config example case (2):

location / {
  ...
}

location /a {
  # deny everything but GET/HEAD and OPTIONS
  limit_except GET HEAD OPTIONS {
    allow 127.0.0.1;
    allow 172.0.0.0/8;
    allow 141.30.27.36;
    auth_basic 'Restricted';
    auth_basic_user_file /etc/nginx/.htpasswd;
    deny all;
  }
  ...
}

location /b {
  ...
}