Welcome! Log In Create A New Profile

Advanced

Combining Basic Authentication with Access Restriction by IP Address and auth_basic off

Posted by basti 
Hello,
I have a config like:

server {

....
# combine basic auth and ip whitelisting
#
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
satisfy any;
allow <my_static_IP>;
deny all;

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/nx4/.htpasswd;

location /.well-known/acme-challenge/ {
auth_basic off;
default_type "text/plain";
alias /var/lib/dehydrated/acme-challenges/;
}
}

But it seems not working.
Access from allowed ip is fine, from all other get

2018/06/27 14:54:12 [error] 1333#1333: *11176 access forbidden by rule,
client: ...

nginx -v
nginx version: nginx/1.10.3

Can anyone confirm this?
Best regards
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Wed, Jun 27, 2018 at 03:08:50PM +0200, basti wrote:
> Hello,
> I have a config like:
>
> server {
>
> ...
> # combine basic auth and ip whitelisting
> #
> https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
> satisfy any;
> allow <my_static_IP>;
> deny all;
>
> auth_basic "Restricted";
> auth_basic_user_file /etc/nginx/nx4/.htpasswd;
>
> location /.well-known/acme-challenge/ {
> auth_basic off;
> default_type "text/plain";
> alias /var/lib/dehydrated/acme-challenges/;
> }
> }
>
> But it seems not working.
> Access from allowed ip is fine, from all other get
>
> 2018/06/27 14:54:12 [error] 1333#1333: *11176 access forbidden by rule,
> client: ...
>
> nginx -v
> nginx version: nginx/1.10.3
>
> Can anyone confirm this?

Since you have switched auth_basic off, the only enabled authentication
left is by client address, and your inherited configuration says it's
denied for everything except <my_static_IP>. Put "allow all" into the
"location /.well-known/acme-challenge/" to have it working for all.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On 27.06.2018 15:57, Ruslan Ermilov wrote:
> Since you have switched auth_basic off, the only enabled authentication
> left is by client address, and your inherited configuration says it's
> denied for everything except <my_static_IP>. Put "allow all" into the
> "location /.well-known/acme-challenge/" to have it working for all.

Thanks for any hints.
Best Regards,
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login