Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#2099 closed defect (invalid)

allow doesn't stop when matching - since at least nginx 1.18 - ngx_http_access_module

Reported by: bezio@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.19.x
Keywords: allow satisfy Cc:
uname -a: Linux s2-tst-t02 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.0
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-1.19.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

Description

We do have some nginx-based balancer which does ssl-offloading and upstreaming via proxy_pass to our web-nodes.
Some applications are only accessible out of the datacenter and from well-known ip-addresses which we allowed them by allow (here-in I stripped/normalized that quite a bit). For people who work out of homeoffice we also enabled ldap-authentication based on auth_pam.
The mentioned application has own authentication implemented so we passthrough the simpleauth.

All worked fine using nginx 1.16 - since 1.18 (reproduced with 1.19, too) we see errors reaching our error.log but still the site + authentication works flawless.

Config

is attached as output of nginx -T. Here is our used "allow-settings":

Within the server-context we include a file containing:

# LDAP/ou=Web-Access/postoffice
satisfy any;

allow 10.0.0.0/8;
allow 127.0.0.1;

# Access against the ldap
auth_pam "Staff Area";
auth_pam_service_name "nginx.stgtest";

deny all;

Error as seen in log:

2020/11/23 11:22:37 [error] 18300#18300: *17 PAM: user 'postoffice' - not authenticated: User not known to the underlying authentication module, client: 127.0.0.1, server: postoffice.test.me, request: "HEAD /v1/post/2307fae3-c43f-4d3a-b5b2-419646e1abcf?encoding=base64 HTTP/2.0", host: "postoffice.test.me"

Expected behaviour

Normally, as I understand http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
saying The rules are checked in sequence until the first match is found. the directive allow 127.0.0.1; should stop the sequence and we do not see any access towards auth_pam.

Attachments (1)

nginx_compiled.conf (10.2 KB ) - added by bezio@… 11 months ago.
output as of nginx -T

Download all attachments as: .zip

Change History (4)

by bezio@…, 11 months ago

Attachment: nginx_compiled.conf added

output as of nginx -T

comment:1 by Maxim Dounin, 11 months ago

Resolution: invalid
Status: newclosed

The error is generated by the 3rd party auth_pam module you are using, which is checked before the access module. Once the control reaches the access module, matching stops at allow 127.0.0.1; as documented.

The "all worked fine" part is likely due to this commit in the auth_pam module, which changes its logging.

comment:2 by bezio@…, 11 months ago

Thanks a lot for pointing this out! I checked the changelog of nginx but not of the module, my bad.

Nethtertheless from my point of view the fall-through type of execution is broken as I expect the first matched allow to stop nginx from requesting the auth_pam_module. But we will deal with the actual situation.

comment:3 by Maxim Dounin, 11 months ago

Nethtertheless from my point of view the fall-through type of execution is broken as I expect the first matched allow to stop nginx from requesting the auth_pam_module.

This can be achieved by the auth_pam module: it needs to put itself after the access module in the access phase. As long as the module is compiled dynamically, it should be easy enough, by using appropriate ngx_module_order.

Note: See TracTickets for help on using tickets.