Welcome! Log In Create A New Profile

Advanced

auth_basic and satisfy allowing all traffic

Posted by daveyfx 
daveyfx
auth_basic and satisfy allowing all traffic
April 13, 2017 11:30PM
Hi all -

I'm having an issue trying to get auth_basic and satisfy directives working
in tandem. If I use auth_basic/auth_basic_user_file on its own, I am
prompted for credentials as expected. However, if I added the
satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
without prompting for auth.

Here's how I have it.

satisfy any;
allow 38.103.XX.XXX/32; # HQIP
allow 38.118.XX.XXX/32; # User VPN IP
deny all;

auth_basic "Site Restricted";
auth_basic_user_file includes/htpasswd.site.dev.conf;

When I look though my access logs, I see the correct client IP as well.

nginx version is 1.10.1

Thank you for your help.

Dave

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273629#msg-273629

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: auth_basic and satisfy allowing all traffic
April 14, 2017 02:20AM
On Thu, Apr 13, 2017 at 05:26:35PM -0400, daveyfx wrote:

Hi there,

> However, if I added the
> satisfy/allow/deny directives above, it seems that ALL traffic is allowed in
> without prompting for auth.

It works for me.

Can you provide a complete config that shows the problem you report?

What I have is:

==
server {
listen 8080;
satisfy any;
allow 127.0.0.1/32;
allow 127.0.0.2/32;
deny all;
auth_basic "Site Restricted";
auth_basic_user_file includes/htpasswd.site.dev.conf;
}
==

Then "curl -i http://127.0.0.2:8080/x"; returns 200 with the content
of /usr/local/nginx/html/x, while "curl -i http://127.0.0.3:8080/x";
returns 401 with

WWW-Authenticate: Basic realm="Site Restricted"


What do you see when you do that exact test?

How does it differ from the problem case you reported?

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
daveyfx
Re: auth_basic and satisfy allowing all traffic
April 14, 2017 06:00AM
Hi Francis -

In both cases, I get a 404 response, which is to be expected as the default
doc root for nginx isn't served on my host. I should expect a 401 on the
second curl test, but I get a 404.

HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 14 Apr 2017 03:44:19 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273636#msg-273636

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: auth_basic and satisfy allowing all traffic
April 14, 2017 09:50AM
On Thu, Apr 13, 2017 at 11:49:50PM -0400, daveyfx wrote:

Hi there,

> In both cases, I get a 404 response, which is to be expected as the default
> doc root for nginx isn't served on my host. I should expect a 401 on the
> second curl test, but I get a 404.

If your test nginx.conf contains the one server{} block that handles
requests on this ip:port, and that server{} block is exactly the 9 lines
from the previous mail, then I think you've found a significant bug in
the implementation, that does not show itself on my system.


I suspect that it is more likely that the server{} that nginx is using is
not the server{} that you think nginx is using to process these requests.

Or that some of the configuration that you have not shown is involved.

If you can show a minimal config that works, and a minimal config that
fails, then identifying the differences between the two will probably
reveal the fix.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
daveyfx
Re: auth_basic and satisfy allowing all traffic
April 14, 2017 09:30PM
Hi Francis -

That would have been my suspicion as well. To test that theory, I installed
the same nginx 1.10.1 RPM file on a similar CentOS 6 virtual machine in my
environment. This particular VM has never been used for any nginx testing,
nor has it ever had nginx installed.

I tested the same server configuration as your example, but the testing VM
produced the same results. The satisfy/allow/deny directives allow
bypassing of the basic_auth. Once those entries have been commented out,
auth works as expected.

Would there be additional steps involved in determining if this is, in fact,
a bug?

Thank you for your help.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273629,273656#msg-273656

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: auth_basic and satisfy allowing all traffic
April 15, 2017 10:40AM
On Fri, Apr 14, 2017 at 03:26:41PM -0400, daveyfx wrote:

Hi there,

> I tested the same server configuration as your example, but the testing VM
> produced the same results. The satisfy/allow/deny directives allow
> bypassing of the basic_auth. Once those entries have been commented out,
> auth works as expected.
>
> Would there be additional steps involved in determining if this is, in fact,
> a bug?

In this case, I suggest building a reproducible test case.

Assuming that you use "default" config files, then "nginx -V" will show
information about what version you are using; "nginx -T" will show the
configuration actually being used, and provide "curl -v" or "curl -i"
commands that show the unexpected behaviour. nginx logs for the requests
should also show what source IP address nginx thinks the requests are
coming from.

Copy-paste; do not re-type. Make it so that the differences between a
working and a failing system are obvious.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login