id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 2099,allow doesn't stop when matching - since at least nginx 1.18 - ngx_http_access_module,bezio@…,,"We do have some nginx-based balancer which does ssl-offloading and upstreaming via proxy_pass to our web-nodes. Some applications are only accessible out of the datacenter and from well-known ip-addresses which we allowed them by allow (here-in I stripped/normalized that quite a bit). For people who work out of homeoffice we also enabled ldap-authentication based on auth_pam. The mentioned application has own authentication implemented so we passthrough the simpleauth. \\ All worked fine using nginx 1.16 - since 1.18 (reproduced with 1.19, too) we see errors reaching our error.log but still the site + authentication works flawless. === Config is attached as output of nginx -T. Here is our used ""allow-settings"": \\ Within the server-context we include a file containing: {{{ # LDAP/ou=Web-Access/postoffice satisfy any; allow 10.0.0.0/8; allow 127.0.0.1; # Access against the ldap auth_pam ""Staff Area""; auth_pam_service_name ""nginx.stgtest""; deny all; }}} === Error as seen in log: {{{ 2020/11/23 11:22:37 [error] 18300#18300: *17 PAM: user 'postoffice' - not authenticated: User not known to the underlying authentication module, client: 127.0.0.1, server: postoffice.test.me, request: ""HEAD /v1/post/2307fae3-c43f-4d3a-b5b2-419646e1abcf?encoding=base64 HTTP/2.0"", host: ""postoffice.test.me"" }}} === Expected behaviour Normally, as I understand http://nginx.org/en/docs/http/ngx_http_access_module.html#allow saying {{{ The rules are checked in sequence until the first match is found. }}} the directive {{{allow 127.0.0.1;}}} should stop the sequence and we do not see any access towards auth_pam. ",defect,closed,major,,nginx-module,1.19.x,invalid,allow satisfy,,Linux s2-tst-t02 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux,"nginx version: nginx/1.19.0 built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-1.19.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module "