#2099 closed defect (invalid)
allow doesn't stop when matching - since at least nginx 1.18 - ngx_http_access_module
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.19.x |
| Keywords: | allow satisfy | Cc: | |
| uname -a: | Linux s2-tst-t02 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.19.0
built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-1.19.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module |
||
Description
We do have some nginx-based balancer which does ssl-offloading and upstreaming via proxy_pass to our web-nodes.
Some applications are only accessible out of the datacenter and from well-known ip-addresses which we allowed them by allow (here-in I stripped/normalized that quite a bit). For people who work out of homeoffice we also enabled ldap-authentication based on auth_pam.
The mentioned application has own authentication implemented so we passthrough the simpleauth.
All worked fine using nginx 1.16 - since 1.18 (reproduced with 1.19, too) we see errors reaching our error.log but still the site + authentication works flawless.
Config
is attached as output of nginx -T. Here is our used "allow-settings":
Within the server-context we include a file containing:
# LDAP/ou=Web-Access/postoffice satisfy any; allow 10.0.0.0/8; allow 127.0.0.1; # Access against the ldap auth_pam "Staff Area"; auth_pam_service_name "nginx.stgtest"; deny all;
Error as seen in log:
2020/11/23 11:22:37 [error] 18300#18300: *17 PAM: user 'postoffice' - not authenticated: User not known to the underlying authentication module, client: 127.0.0.1, server: postoffice.test.me, request: "HEAD /v1/post/2307fae3-c43f-4d3a-b5b2-419646e1abcf?encoding=base64 HTTP/2.0", host: "postoffice.test.me"
Expected behaviour
Normally, as I understand http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
saying The rules are checked in sequence until the first match is found. the directive allow 127.0.0.1; should stop the sequence and we do not see any access towards auth_pam.
Attachments (1)
Change History (4)
by , 4 years ago
| Attachment: | nginx_compiled.conf added |
|---|
comment:1 by , 4 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The error is generated by the 3rd party auth_pam module you are using, which is checked before the access module. Once the control reaches the access module, matching stops at allow 127.0.0.1; as documented.
The "all worked fine" part is likely due to this commit in the auth_pam module, which changes its logging.
comment:2 by , 4 years ago
Thanks a lot for pointing this out! I checked the changelog of nginx but not of the module, my bad.
Nethtertheless from my point of view the fall-through type of execution is broken as I expect the first matched allow to stop nginx from requesting the auth_pam_module. But we will deal with the actual situation.
comment:3 by , 4 years ago
Nethtertheless from my point of view the fall-through type of execution is broken as I expect the first matched allow to stop nginx from requesting the auth_pam_module.
This can be achieved by the auth_pam module: it needs to put itself after the access module in the access phase. As long as the module is compiled dynamically, it should be easy enough, by using appropriate ngx_module_order.
output as of nginx -T