Opened 3 years ago
Closed 3 years ago
#2232 closed enhancement (wontfix)
ngx_http_auth_basic_module does not support different passwords for the same user
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | trivial | Milestone: | |
| Component: | nginx-module | Version: | |
| Keywords: | ngx_http_auth_basic_module | Cc: | Chupaka@… |
| uname -a: | Linux hostname 5.8.0-1032-gcp #34~20.04.1-Ubuntu SMP Wed May 19 18:19:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-echo --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-subs-filter --add-dynamic-module=/build/nginx-KTLRnK/nginx-1.18.0/debian/modules/http-geoip2 |
||
Description
I need to proxy some API and change "local" basic auth (with static username = "api") to a "master" API key. I.e. clients of nginx authorize as "api:pass1", "api:pass2", etc., and I replace this by "api:super_secret_key" when proxying the request to upstream.
Everything works good for "one password per location" scenario, but now I have a shared path and faced a problem that only first password of user_file is checked. If it's wrong - nginx stops searching for another passwords in user_file and throws "401 Authorization Required".
So, a feature request: check all lines of user_file when checking credentials (enabled by a new option for backward compatibility?).
Note:
See TracTickets
for help on using tickets.
Unix user files are expected to contain one line per user. There are no plans to support multiple user entries with the same user name and checking the password provided against all entries.
If your setup requires using the same user name with different passwords to access a particular resource, the most obvious solution would be to re-think the setup. A better approach might be to use different user names for different users.