search

atomx / nginx-http-auth-digest

Digest Authentication for Nginx
Other
44 stars 14 forks source link

satisfy any; not working #10

Closed passie closed 6 years ago

passie commented 7 years ago

I'm playing around with this module but i'm unable to get this working with satisfy any.

satisfy any; include /access/ip_list; auth_digest_user_file /access/passwd.digest; auth_digest 'secret'; deny all;

Is this supported in this version ?

erikdubbelboer commented 7 years ago

This works for me:

location /test.html {
    satisfy any;
    allow 8.8.8.8/32; # My IP
    auth_digest_user_file /some/path/to/.htpasswd;
    auth_digest 'test';
    deny all;
  }

Are you sure you compiled nginx including the module? How exactly is it failing?

passie commented 7 years ago

If i connect from let's say 8.8.8.8 I get passed, when connecting from a different IP I get prompted with a password prompt as designed. Though after login in I get a 403 Forbidden. 7234#0: *150614 access forbidden by rule, client: 185.137.18.146

should both auth_digest_user_file & auth_digest be placed in the location {} block or could they also be placed at server {} level ? module is compiled correctly with --add-module=mod-ext/http_auth_digest_nginx_module

erikdubbelboer commented 7 years ago

Only auth_digest 'test'; is needed in the location block.

Which version of nginx are you using?

passie commented 7 years ago

nginx version: nginx/1.11.10

Was just thinking that for my current nginx config, I have set the auth_digest_user_file & auth_digest at server level, since the location block doesn't needs to be secured. Could this be the problem, is location {} + auth_digest mandatory in order for digest to work ?

erikdubbelboer commented 7 years ago

It only seems to sometimes work now for me now. Don't really see a pattern yet but I'm working on it.

erikdubbelboer commented 7 years ago

This config works for me within the location or server block.

satisfy any;
allow 8.8.8.8/32; # My IP
auth_digest_user_file /some/path/to/.htpasswd;
auth_digest 'test';
deny all;

But I did notice one weird thing. If I have a URL like example.com/index.php?foo=bar it works. But when I access the same page using example.com/?foo=bar it stops working. Even though index index.php is set. This module still allows the request but something weird with the satisfy prevents it after that for some reason. But this happens somewhere outside of this module so there is nothing I can do about that.

One other minor issue I found is that if you set allow to your IP the requests are still send to this module. But seeing as no data is entered it will always just count towards the evasions making the IP be blocked completely by this module. But seen as the IP is in the allow the user should never notice this. And seeing as this module can't know about the allow or satisfy there also isn't anything we can do about this.