Re: BasicAuth config question

Thu, 25 Oct 2018 10:23:30 -0700 

Hello!

On Thu, Oct 25, 2018 at 09:56:27AM -0700, pg...@dev-mail.net wrote:

> If I define
> 
>       nginx.conf
>               ...
>               server {
>                       ...
>                       include includes/conf1.inc;
>                       include includes/conf2.inc;
>                       ...
>               }
>               ...
> 
>       cat includes/conf1.inc;
>               location ~ ^/sec($|/$) {
>                       deny all;
>               }
> 
>       cat includes/conf2.inc;
>               location = /sec/status {
>                       auth_basic 'Secure Access';
>                       auth_basic_user_file  /etc/nginx/sec/users;
>                       stub_status on;
>               }
> 
> @ https://example.com/sec/status
> 
> displays, as intended, a HTTP Basic Auth challenge.
> 
> But, if I move the auth_basic* into the immediately prior config file,
> 
>       cat includes/conf1.inc;
>               location ~ ^/sec($|/$) {
>                       deny all;
>               }
> +             location ~ ^/sec {
> +                     auth_basic 'Secure Access';
> +                     auth_basic_user_file  /etc/nginx/sec/users;
> +             }
> 
>       cat includes/conf2.inc;
>               location = /sec/status {
> -                     auth_basic 'Secure Access';
> -                     auth_basic_user_file  /etc/nginx/sec/users;
>                       stub_status on;
>               }
> 
> @ https://example.com/sec/status
> 
> displays server status immediately, WITHOUT any HTTP Basic Auth challenge.
> 
> What's wrong with my 2nd config that's causing it to NOT invoke Basic Auth 
> challenge?

In your second config, auth_basic is only configured for location 
"~ ^/sec", but not for location "= /sec/status".  Since the request 
to /sec/status is handled in the latter, auth_basic won't apply.

Note that location matching selects only one location to handle 
a request.  If there are many matching locations, most specific 
will be used (see http://nginx.org/r/location for details).

If you want to configure auth_basic for anything under /sec/, 
consider using nested prefix locations instead.  For example:

    location /sec/ {
        auth_basic 'Secure Access';
        auth_basic_user_file /etc/nginx/sec/users;

        location = /sec/ {
            deny all;
        }

        location = /sec/status {
            stub_status on;
        }
    }

This way, auth_basic is inherited into all nested locations, and 
will be configured in "location = /sec/status" as well.

Note well that "location ~ ^/sec" in your configuration will also 
match requests to "/security", "/second-version", and so on.  Most 
likely this is not what you want, so the above example 
configuration uses "/sec/" prefix instead. 

-- 
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to