Welcome! Log In Create A New Profile

Re: BasicAuth config question

Forum List Message List New Topic Print View

Maxim Dounin

October 25, 2018 01:24PM

Hello!

On Thu, Oct 25, 2018 at 09:56:27AM -0700, pg151@dev-mail.net wrote:

> If I define
>
> nginx.conf
> ...
> server {
> ...
> include includes/conf1.inc;
> include includes/conf2.inc;
> ...
> }
> ...
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
>
> cat includes/conf2.inc;
> location = /sec/status {
> auth_basic 'Secure Access';
> auth_basic_user_file /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays, as intended, a HTTP Basic Auth challenge.
>
> But, if I move the auth_basic* into the immediately prior config file,
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
> + location ~ ^/sec {
> + auth_basic 'Secure Access';
> + auth_basic_user_file /etc/nginx/sec/users;
> + }
>
> cat includes/conf2.inc;
> location = /sec/status {
> - auth_basic 'Secure Access';
> - auth_basic_user_file /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays server status immediately, WITHOUT any HTTP Basic Auth challenge.
>
> What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth challenge?

In your second config, auth_basic is only configured for location
"~ ^/sec", but not for location "= /sec/status". Since the request
to /sec/status is handled in the latter, auth_basic won't apply.

Note that location matching selects only one location to handle
a request. If there are many matching locations, most specific
will be used (see http://nginx.org/r/location for details).

If you want to configure auth_basic for anything under /sec/,
consider using nested prefix locations instead. For example:

location /sec/ {
auth_basic 'Secure Access';
auth_basic_user_file /etc/nginx/sec/users;

location = /sec/ {
deny all;
}

location = /sec/status {
stub_status on;
}
}

This way, auth_basic is inherited into all nested locations, and
will be configured in "location = /sec/status" as well.

Note well that "location ~ ^/sec" in your configuration will also
match requests to "/security", "/second-version", and so on. Most
likely this is not what you want, so the above example
configuration uses "/sec/" prefix instead.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
BasicAuth config question	Anonymous User	October 25, 2018 12:58PM
Re: BasicAuth config question	Maxim Dounin	October 25, 2018 01:24PM
Re: BasicAuth config question	Anonymous User	October 25, 2018 01:36PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 211

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018