Quantcast

auth_basic and satisfy allowing all traffic

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

auth_basic and satisfy allowing all traffic

t.nishiyori
Hi all -

I'm having an issue trying to get auth_basic and satisfy directives working
in tandem.  If I use auth_basic/auth_basic_user_file on its own, I am
prompted for credentials as expected.  However, if I added the
satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
without prompting for auth.

Here's how I have it.

    satisfy any;
    allow 38.103.XX.XXX/32;     # HQIP
    allow 38.118.XX.XXX/32;     # User VPN IP
    deny all;

    auth_basic "Site Restricted";
    auth_basic_user_file includes/htpasswd.site.dev.conf;

When I look though my access logs, I see the correct client IP as well.

nginx version is 1.10.1

Thank you for your help.

Dave

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273629#msg-273629

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: auth_basic and satisfy allowing all traffic

Francis Daly
On Thu, Apr 13, 2017 at 05:26:35PM -0400, daveyfx wrote:

Hi there,

> However, if I added the
> satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
> without prompting for auth.

It works for me.

Can you provide a complete config that shows the problem you report?

What I have is:

==
  server {
    listen 8080;
    satisfy any;
    allow 127.0.0.1/32;
    allow 127.0.0.2/32;
    deny all;
    auth_basic "Site Restricted";
    auth_basic_user_file includes/htpasswd.site.dev.conf;
  }
==

Then "curl -i http://127.0.0.2:8080/x" returns 200 with the content
of /usr/local/nginx/html/x, while "curl -i http://127.0.0.3:8080/x"
returns 401 with

WWW-Authenticate: Basic realm="Site Restricted"


What do you see when you do that exact test?

How does it differ from the problem case you reported?

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: auth_basic and satisfy allowing all traffic

t.nishiyori
Hi Francis -

In both cases, I get a 404 response, which is to be expected as the default
doc root for nginx isn't served on my host.  I should expect a 401 on the
second curl test, but I get a 404.

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 14 Apr 2017 03:44:19 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273636#msg-273636

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: auth_basic and satisfy allowing all traffic

Francis Daly
On Thu, Apr 13, 2017 at 11:49:50PM -0400, daveyfx wrote:

Hi there,

> In both cases, I get a 404 response, which is to be expected as the default
> doc root for nginx isn't served on my host.  I should expect a 401 on the
> second curl test, but I get a 404.

If your test nginx.conf contains the one server{} block that handles
requests on this ip:port, and that server{} block is exactly the 9 lines
from the previous mail, then I think you've found a significant bug in
the implementation, that does not show itself on my system.


I suspect that it is more likely that the server{} that nginx is using is
not the server{} that you think nginx is using to process these requests.

Or that some of the configuration that you have not shown is involved.

If you can show a minimal config that works, and a minimal config that
fails, then identifying the differences between the two will probably
reveal the fix.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: auth_basic and satisfy allowing all traffic

t.nishiyori
Hi Francis -

That would have been my suspicion as well.  To test that theory, I installed
the same nginx 1.10.1 RPM file on a similar CentOS 6 virtual machine in my
environment.  This particular VM has never been used for any nginx testing,
nor has it ever had nginx installed.

I tested the same server configuration as your example, but the testing VM
produced the same results.  The satisfy/allow/deny directives allow
bypassing of the basic_auth.  Once those entries have been commented out,
auth works as expected.

Would there be additional steps involved in determining if this is, in fact,
a bug?

Thank you for your help.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273656#msg-273656

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: auth_basic and satisfy allowing all traffic

Francis Daly
On Fri, Apr 14, 2017 at 03:26:41PM -0400, daveyfx wrote:

Hi there,

> I tested the same server configuration as your example, but the testing VM
> produced the same results.  The satisfy/allow/deny directives allow
> bypassing of the basic_auth.  Once those entries have been commented out,
> auth works as expected.
>
> Would there be additional steps involved in determining if this is, in fact,
> a bug?

In this case, I suggest building a reproducible test case.

Assuming that you use "default" config files, then "nginx -V" will show
information about what version you are using; "nginx -T" will show the
configuration actually being used, and provide "curl -v" or "curl -i"
commands that show the unexpected behaviour. nginx logs for the requests
should also show what source IP address nginx thinks the requests are
coming from.

Copy-paste; do not re-type. Make it so that the differences between a
working and a failing system are obvious.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...