Opened 6 years ago

Closed 6 years ago

#641 closed enhancement (wontfix)

Support auth_basic inside if statements

Reported by: Cristian Măgherușan-Stanciu Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: Cc:
uname -a: CentOS 6.5 linux 2.6.32-431.20.3.el6.x86_64
nginx -V: nginx -V
nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

I have a quite complicated access control setup, basically everything needs to be blocked(return 403) unless the user comes from some IP ranges given in CIDR notation.

At some point later, we had to give a chance to people outside those IP ranges, who might still be allowed if they can log in with basic authentication.

Initially I had it set up with the ngx_http_access module, which worked quite well, this is how I had it done with Puppet/ERB:

satisfy any;

<%- @allowed_ip_ranges.each do |range| %>
allow <%= range %>;
<%- end %>                                                                    

deny all; 

<%if bool(require_authentication) %>
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpass_users;
<% end %>

Then at some point some of my servers had to be configured in order to redirect the external users somewhere else instead of just blocking them with a 403.

I had read http://nginx.org/en/docs/http/ngx_http_access_module.html and tried to follow the advice "In case of a lot of rules, the use of the ngx_http_geo_module module variables is preferable", so I attempted to refactor the access control code, and started using ngx_http_geo module which got me something like this:

geo $external_user {
  default 1;
  <%- @allowed_ip_ranges.each do |range| %>
  <%= range %> 0;
  <%- end %>
}
<% end %>
if ($external_user) {
<% if bool(require_authentication) %>
  auth_basic "Restricted";
  auth_basic_user_file /etc/nginx/htpass_users;
<% else %>
  return 403;
<% end %>
}


I then immediately noticed the nginx configuration was broken in the environment where basic auth was enabled, since auth_basic is not working inside the if. So eventually I had to revert to the previous code.

This wasn't so bad, bot now I have another requirement, I need to allow some user agents regardless where they're coming from. This would easily be doable with an if and a variable created using the ngx_http_geo module, but I can't use that because of the basic auth issue.

So I am hereby creating a feature request to implement support for auth_basic inside the if statements.

Change History (3)

comment:1 by Valentin V. Bartenev, 6 years ago

You are overcomplicating things. You don't need if for the case:

geo $auth_realm {
  default Restricted;
  <%- @allowed_ip_ranges.each do |range| %>
  <%= range %> off;
  <%- end %>
}
<% end %>
<% if bool(require_authentication) %>
  auth_basic $auth_realm;
  auth_basic_user_file /etc/nginx/htpass_users;
<% else %>
  return 403;
<% end %>

Note also: http://wiki.nginx.org/IfIsEvil

Last edited 6 years ago by Valentin V. Bartenev (previous) (diff)

comment:2 by Cristian Măgherușan-Stanciu, 6 years ago

Thanks, that's a great idea, I didn't think about doing it that way.

comment:3 by Valentin V. Bartenev, 6 years ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.