Discussion:
auth_request off; ignored when combined with auth_basic;
Stian Øvrevåge
2017-10-13 05:47:11 UTC
Permalink
Hi list,

I have a server {} block that is protected with auth_request; on the top level.

auth_request is used for a interactive login process.

I have some endpoints that will receive data from other software, and
must instead be protected by auth_basic. However, "auth_request off;"
is ignored in these location{} blocks IF there is also a auth_basic
statement in the block.

This works without logging in:
location /test/ {
auth_request off;
proxy_pass http://localhost:88/;
}

This is automatically redirected back to /security/ for login (as
defined by auth_request in server{} block.
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /etc/htpasswd;
proxy_pass http://localhost:88/;
}

I see online references to a "satisfy any" directive that apparently
worked a few years ago, but it does not anymore, and others are
reporting similar problems:
https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic

Brgds,
Stian Øvrevåge
Maxim Dounin
2017-10-13 09:14:09 UTC
Permalink
Hello!
Post by Stian Øvrevåge
Hi list,
I have a server {} block that is protected with auth_request; on the top level.
auth_request is used for a interactive login process.
I have some endpoints that will receive data from other software, and
must instead be protected by auth_basic. However, "auth_request off;"
is ignored in these location{} blocks IF there is also a auth_basic
statement in the block.
location /test/ {
auth_request off;
proxy_pass http://localhost:88/;
}
This is automatically redirected back to /security/ for login (as
defined by auth_request in server{} block.
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /etc/htpasswd;
proxy_pass http://localhost:88/;
}
I see online references to a "satisfy any" directive that apparently
worked a few years ago, but it does not anymore, and others are
https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic
Works fine here:

$ curl http://127.0.0.1:8080/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl http://127.0.0.1:8080/test/
ok
$ curl http://127.0.0.1:8080/api/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl --basic --user foo:foo http://127.0.0.1:8080/api/
ok

Just tested with the following configuration:

server {
listen 8080

auth_request /auth;

location / {
proxy_pass http://localhost:8082;
}

location /test/ {
auth_request off;
proxy_pass http://localhost:8082;
}

location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /path/to/htpasswd;
proxy_pass http://localhost:8082;
}

location = /auth {
return 403;
}
}

server {
listen 8082;
return 200 ok\n;
}

Note that in the request to /api/, where auth_basic is configured,
you have to request specify username and password, or the request
will be rejected by auth_basic.
--
Maxim Dounin
http://nginx.org/
Stian Øvrevåge
2017-10-13 16:14:45 UTC
Permalink
Thanks a bunch. When still being redirected now I found the culprit:

location @error401 {
return 302 /security/;
}

Which of course will redirect before auth basic will work.

Thanks again and pardon my ignorance :o

Br,
Stian
Post by Maxim Dounin
Hello!
Post by Stian Øvrevåge
Hi list,
I have a server {} block that is protected with auth_request; on the top level.
auth_request is used for a interactive login process.
I have some endpoints that will receive data from other software, and
must instead be protected by auth_basic. However, "auth_request off;"
is ignored in these location{} blocks IF there is also a auth_basic
statement in the block.
location /test/ {
auth_request off;
proxy_pass http://localhost:88/;
}
This is automatically redirected back to /security/ for login (as
defined by auth_request in server{} block.
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /etc/htpasswd;
proxy_pass http://localhost:88/;
}
I see online references to a "satisfy any" directive that apparently
worked a few years ago, but it does not anymore, and others are
https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic
$ curl http://127.0.0.1:8080/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl http://127.0.0.1:8080/test/
ok
$ curl http://127.0.0.1:8080/api/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl --basic --user foo:foo http://127.0.0.1:8080/api/
ok
server {
listen 8080
auth_request /auth;
location / {
proxy_pass http://localhost:8082;
}
location /test/ {
auth_request off;
proxy_pass http://localhost:8082;
}
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /path/to/htpasswd;
proxy_pass http://localhost:8082;
}
location = /auth {
return 403;
}
}
server {
listen 8082;
return 200 ok\n;
}
Note that in the request to /api/, where auth_basic is configured,
you have to request specify username and password, or the request
will be rejected by auth_basic.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
http://mailman.nginx.org/mailman/listinfo/nginx
Stian Øvrevåge
2017-10-13 16:39:50 UTC
Permalink
Quick follow-up. I tried negating the 401 redirect at the /api/
endpoint but got an error:

named location "@error401" can be on the server level only

Any suggestion on how I can enforce a side-wide redirect to /security/
except the 2-3 endpoints that have basic auth?

Br,
Stian
Post by Stian Øvrevåge
return 302 /security/;
}
Which of course will redirect before auth basic will work.
Thanks again and pardon my ignorance :o
Br,
Stian
Post by Maxim Dounin
Hello!
Post by Stian Øvrevåge
Hi list,
I have a server {} block that is protected with auth_request; on the top level.
auth_request is used for a interactive login process.
I have some endpoints that will receive data from other software, and
must instead be protected by auth_basic. However, "auth_request off;"
is ignored in these location{} blocks IF there is also a auth_basic
statement in the block.
location /test/ {
auth_request off;
proxy_pass http://localhost:88/;
}
This is automatically redirected back to /security/ for login (as
defined by auth_request in server{} block.
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /etc/htpasswd;
proxy_pass http://localhost:88/;
}
I see online references to a "satisfy any" directive that apparently
worked a few years ago, but it does not anymore, and others are
https://stackoverflow.com/questions/42301559/nginx-with-auth-request-and-auth-basic
$ curl http://127.0.0.1:8080/
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl http://127.0.0.1:8080/test/
ok
$ curl http://127.0.0.1:8080/api/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.13.7</center>
</body>
</html>
$ curl --basic --user foo:foo http://127.0.0.1:8080/api/
ok
server {
listen 8080
auth_request /auth;
location / {
proxy_pass http://localhost:8082;
}
location /test/ {
auth_request off;
proxy_pass http://localhost:8082;
}
location /api/ {
auth_request "off";
auth_basic "Restricted access";
auth_basic_user_file /path/to/htpasswd;
proxy_pass http://localhost:8082;
}
location = /auth {
return 403;
}
}
server {
listen 8082;
return 200 ok\n;
}
Note that in the request to /api/, where auth_basic is configured,
you have to request specify username and password, or the request
will be rejected by auth_basic.
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
2017-10-13 22:12:32 UTC
Permalink
On Fri, Oct 13, 2017 at 11:39:50AM -0500, Stian Øvrevåge wrote:

Hi there,
Post by Stian Øvrevåge
Quick follow-up. I tried negating the 401 redirect at the /api/
Any suggestion on how I can enforce a side-wide redirect to /security/
except the 2-3 endpoints that have basic auth?
It will probably be easier if you show the config that does not do what
you want; but my guess is that using "error_page" in the location{}s
with basic auth to override the (presumed) server-level "error_page"
setting might work.

That is: add something like "error_page 444 =444;" where you don't want
the 401 redirect to happen.

f
--
Francis Daly ***@daoine.org
Loading...