NGINX multiple authentication methods (one or the other) AND an IP check seems impossible

Gergő Vári varigergo07 at gmail.com
Sun May 26 08:17:06 UTC 2024 

```
location / {
        proxy_pass $forward_auth_target;

        allow xxxxx/24;
        deny all;

        satisfy any; # This gets satisfied by the IP check, and auth is completely bypassed

        auth_basic "xxxx";
        auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass";

        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;
        proxy_set_header X-authentik-username $authentik_username;

        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        proxy_set_header X-authentik-groups $authentik_groups;

        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        proxy_set_header X-authentik-email $authentik_email;

        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        proxy_set_header X-authentik-name $authentik_name;

        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
        proxy_set_header X-authentik-uid $authentik_uid;

        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
        proxy_set_header X-authentik-uid $authentik_uid;

        auth_request_set $authentik_auth $upstream_http_authorization;
        proxy_set_header Authorization $authentik_auth;
}

location /outpost.goauthentik.io {
        proxy_pass              http://xxxx/outpost.goauthentik.io;
        proxy_set_header        Host $host;
        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
        proxy_ssl_verify off;
}

location @goauthentik_proxy_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs.

When I disable the IP check it works flawlessly. How could I separate these requirements?

So (SSO or Basic Auth) and Correct IP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240526/af314263/attachment.htm>

More information about the nginx mailing list