Opened 3 years ago

Closed 3 years ago

#2232 closed enhancement (wontfix)

ngx_http_auth_basic_module does not support different passwords for the same user

Reported by: Chupaka@… Owned by:
Priority: trivial Milestone:
Component: nginx-module Version:
Keywords: ngx_http_auth_basic_module Cc: Chupaka@…
uname -a: Linux hostname 5.8.0-1032-gcp #34~20.04.1-Ubuntu SMP Wed May 19 18:19:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-echo --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-subs-filter --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-geoip2

Description

I need to proxy some API and change "local" basic auth (with static username = "api") to a "master" API key. I.e. clients of nginx authorize as "api:pass1", "api:pass2", etc., and I replace this by "api:super_secret_key" when proxying the request to upstream.

Everything works good for "one password per location" scenario, but now I have a shared path and faced a problem that only first password of user_file is checked. If it's wrong - nginx stops searching for another passwords in user_file and throws "401 Authorization Required".

So, a feature request: check all lines of user_file when checking credentials (enabled by a new option for backward compatibility?).

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: wontfix
Status: newclosed

Unix user files are expected to contain one line per user. There are no plans to support multiple user entries with the same user name and checking the password provided against all entries.

If your setup requires using the same user name with different passwords to access a particular resource, the most obvious solution would be to re-think the setup. A better approach might be to use different user names for different users.

Note: See TracTickets for help on using tickets.