BasicAuth config question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

BasicAuth config question

pg151
If I define

        nginx.conf
                ...
                server {
                        ...
                        include includes/conf1.inc;
                        include includes/conf2.inc;
                        ...
                }
                ...

        cat includes/conf1.inc;
                location ~ ^/sec($|/$) {
                        deny all;
                }

        cat includes/conf2.inc;
                location = /sec/status {
                        auth_basic 'Secure Access';
                        auth_basic_user_file  /etc/nginx/sec/users;
                        stub_status on;
                }

@ https://example.com/sec/status

displays, as intended, a HTTP Basic Auth challenge.

But, if I move the auth_basic* into the immediately prior config file,

        cat includes/conf1.inc;
                location ~ ^/sec($|/$) {
                        deny all;
                }
+ location ~ ^/sec {
+ auth_basic 'Secure Access';
+ auth_basic_user_file  /etc/nginx/sec/users;
+ }

        cat includes/conf2.inc;
                location = /sec/status {
- auth_basic 'Secure Access';
- auth_basic_user_file  /etc/nginx/sec/users;
                        stub_status on;
                }

@ https://example.com/sec/status

displays server status immediately, WITHOUT any HTTP Basic Auth challenge.

What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth challenge?
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: BasicAuth config question

Maxim Dounin
Hello!

On Thu, Oct 25, 2018 at 09:56:27AM -0700, [hidden email] wrote:

> If I define
>
> nginx.conf
> ...
> server {
> ...
> include includes/conf1.inc;
> include includes/conf2.inc;
> ...
> }
> ...
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
>
> cat includes/conf2.inc;
> location = /sec/status {
> auth_basic 'Secure Access';
> auth_basic_user_file  /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays, as intended, a HTTP Basic Auth challenge.
>
> But, if I move the auth_basic* into the immediately prior config file,
>
> cat includes/conf1.inc;
> location ~ ^/sec($|/$) {
> deny all;
> }
> + location ~ ^/sec {
> + auth_basic 'Secure Access';
> + auth_basic_user_file  /etc/nginx/sec/users;
> + }
>
> cat includes/conf2.inc;
> location = /sec/status {
> - auth_basic 'Secure Access';
> - auth_basic_user_file  /etc/nginx/sec/users;
> stub_status on;
> }
>
> @ https://example.com/sec/status
>
> displays server status immediately, WITHOUT any HTTP Basic Auth challenge.
>
> What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth challenge?

In your second config, auth_basic is only configured for location
"~ ^/sec", but not for location "= /sec/status".  Since the request
to /sec/status is handled in the latter, auth_basic won't apply.

Note that location matching selects only one location to handle
a request.  If there are many matching locations, most specific
will be used (see http://nginx.org/r/location for details).

If you want to configure auth_basic for anything under /sec/,
consider using nested prefix locations instead.  For example:

    location /sec/ {
        auth_basic 'Secure Access';
        auth_basic_user_file /etc/nginx/sec/users;

        location = /sec/ {
            deny all;
        }

        location = /sec/status {
            stub_status on;
        }
    }

This way, auth_basic is inherited into all nested locations, and
will be configured in "location = /sec/status" as well.

Note well that "location ~ ^/sec" in your configuration will also
match requests to "/security", "/second-version", and so on.  Most
likely this is not what you want, so the above example
configuration uses "/sec/" prefix instead.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: BasicAuth config question

pg151


On Thu, Oct 25, 2018, at 10:23 AM, Maxim Dounin wrote:
> In your second config, auth_basic is only configured for location
> "~ ^/sec", but not for location "= /sec/status".  Since the request
> to /sec/status is handled in the latter, auth_basic won't apply.
>
> Note that location matching selects only one location to handle
> a request.  If there are many matching locations, most specific
> will be used (see http://nginx.org/r/location for details).

Ok, got that. Thx.

> If you want to configure auth_basic for anything under /sec/,
> consider using nested prefix locations instead.  For example:
>
>     location /sec/ {
>         auth_basic 'Secure Access';
>         auth_basic_user_file /etc/nginx/sec/users;
>
>         location = /sec/ {
>             deny all;
>         }
>
>         location = /sec/status {
>             stub_status on;
>         }
>     }
>
> This way, auth_basic is inherited into all nested locations, and
> will be configured in "location = /sec/status" as well.

I get the nesting.

I'd _like_ to split that config across two files:  one that I can include in EVERY config that deals with "auth_basic under /sec/", and the other that i can "drop-in" (include) just for sites where I want to use "status pages" (here, just the nginx-status).

Can you 'nest' across separate configs?

> Note well that "location ~ ^/sec"

Yep, thx.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx