search

atomx / nginx-http-auth-digest

Digest Authentication for Nginx
Other
44 stars 14 forks source link

auth_timeout does not re-prompt for credentials #19

Closed jrenslo closed 5 years ago

jrenslo commented 5 years ago

I'm using nginx as a reverse-proxy. I want it to prompt the user to log-in periodically. Setting the timeout, replays, and expires flags in the location and server blocks does not seem to do anything. i.e. I can browse to the site, reload as many times as I want, for as long as I want, without a re-challenge.

example below:

#user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    server_names_hash_bucket_size 128;
    proxy_cookie_path / "/; HTTPOnly; Secure";

server {
  listen                80 default_server;
  listen        [::]:80 default_server;
  server_name _;
  return 301 https://$host$request_uri;
}

server {
  listen                443;
  server_name       my-path;
  access_log            /var/log/nginx/access.log;
  error_log             /var/log/nginx/error.log error;

  auth_digest Login;
  auth_digest_user_file digest_file;
  auth_digest_timeout 10s;
  auth_digest_expires 10s;
  auth_digest_replays 8;

  ssl on;

  ssl_protocols TLSv1.1 TLSv1.2;

  ssl_certificate       cert;
  ssl_certificate_key   key;

  ssl_prefer_server_ciphers on;

  proxy_cookie_path / "/; HTTPOnly; Secure";

   location / {
       auth_digest Login;
       auth_digest_user_file passwd.digest;
       auth_digest_timeout 10s;
       auth_digest_expires 10s;
       auth_digest_replays 8;

       proxy_pass          upstream_url;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host             $http_host;
       proxy_set_header  X-Real-IP        $remote_addr;
       proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;

     }

}
}
erikdubbelboer commented 5 years ago

This is your browser caching your password. I'm afraid there is nothing we can do about that.