Closed rickysarraf closed 3 years ago
You are right this doesn't seem to be checked at all. I would suggest you switch to https://github.com/samizdatco/nginx-http-auth-digest which is a more up to date version of this module (which I also maintain). I made a pull request there: https://github.com/samizdatco/nginx-http-auth-digest/pull/35 can you try if this change works for you? If it does I'll merge it.
You are right this doesn't seem to be checked at all. I would suggest you switch to https://github.com/samizdatco/nginx-http-auth-digest which is a more up to date version of this module (which I also maintain). I made a pull request there: samizdatco#35 can you try if this change works for you? If it does I'll merge it.
Thank you for the quick reply. I tried the proposed change but that doesn't solve the problem. The auth form the general
realm is still carried and the abc
realm is bypassed.
I was curious as to why such a simple change wouldn't work. So I tried to check what was being returned. From what I found, and surprised, the check for ngx_strcmp(realm.data, auth_fields->realm.data)
returned value (-34: Unknown error)
.
That error, -34
, is my misinterpretation. That's the value from strcmp()
. And I pushed it as an error code to ngx_log_err
.
/* msvc and icc7 compile strcmp() to inline loop */
#define ngx_strcmp(s1, s2) strcmp((const char *) s1, (const char *) s2)
So, are these fields supposed to have identical data: realm.data
and auth_fields->realm.data
?
That is weird. ngx_strcmp
returns 0 if the strings are the same, and returns the difference in ascii codes if the strings are different. So -34 just means that if the name of your general
ream is real your abc
realm probably starts with a K
in your real test.
But if it doesn't return 0 it also means it goes into the if and returns a challenge for the correct realm. Are you sure your browser doesn't already have the password for the other realm as well? Or are you using the same password for both realms? Try doing the test again after completely restarting your browser so it doesn't have any previous logins. When I tested it myself just now it worked it seemed.
I don't know.
Your fix looked simple enough that I can't see a reason for it to not work. But unfortunately, in all my tests so far, the auth from realm general
gets carried forward to the other one, abc
.
It may be something on the client end on my setup but I'm yet to ascertain what. So far, I tried incognito mode, and multiple browsers. But I got the same annoyance.
I think you should commit your changes irrespective, given that the change is very simple.
Thank you. :pray:
Is the password for both realms the same maybe?
Is the password for both realms the same maybe?
No. They are different. That's something I made sure of right from the beginning. And I also validated it now be recreating them again, just to be very sure.
I don't think there's anything wrong in my config but I'd still let you have a look as you've already spent time on this issue. Let's be sure that there's no user error on this part.
rrs@lenovo:~$ cat /etc/nginx/sites-available/lenovo
server {
listen 80;
listen [::]:80;
server_name lenovo;
return 302 https://$host$request_uri;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
server_tokens off;
server_name lenovo;
client_max_body_size 500M;
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log;
location /discover {
auth_digest_user_file /etc/nginx/htdigest;
auth_digest 'private';
auth_digest_expires 600s;
auth_digest_evasion_time 5s;
auth_digest_replays 500;
proxy_pass http://localhost:2342/discover;
}
location /private {
auth_digest_user_file /etc/nginx/htdigest;
auth_digest 'private';
auth_digest_expires 300s;
auth_digest_evasion_time 5s;
auth_digest_replays 500;
proxy_pass http://localhost:2342/private;
}
location / {
if ($arg_q ~ 'private:') {
return 404;
}
if ($request_uri ~ 'private:') {
return 404;
}
#auth_basic "General Area";
#auth_basic_user_file /etc/nginx/htpasswd;
auth_digest_user_file /etc/nginx/htdigest;
auth_digest 'general';
auth_digest_replays 50000;
auth_digest_evasion_time 5s;
auth_digest_expires 1800s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:2342;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
When, I log into lenovo
, it asks for password twice, I think. And in the logs, I get this:
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/e5ef9780467b9fe8feb06ebd773645e5bf8a6520/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/403dd62b554402644de3b7cca7315719b8fed693/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/828f46910dbd1defe2bd06de69289261cbbe2f84/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/439ddcf35973f9f32f81c8bc655bf7d80fafd056/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/b66e706425df48bd5993ed7e37e394aac46678ae/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/2ca7b078ba02061095608b6b9d164bd9b0778bb2/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/6b9ba15080188c81d44988f7cea92d367e0a801a/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/8c81938a1d378f41aa893a894e87752e7e3f6238/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/12eab493fcb795a187a0ec51831fde8e74572872/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/7db3d55a1c85586cb0a3a9c42d8b20fa9705eee7/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/9737943af74ed95e9f24945e1f11c5907b03b6d9/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/98fd4a84feab10c890231a2272c92a3bbb9f703a/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/e409c9f4954571c8f682ead9fe4e70512f83ff3a/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/56548408c10d3c9a5fd7e1f558deabecd20298bf/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/92f39bc829bd1651befe2dec32add3c58cdc7976/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/d1efa4e80afcd4e972ee55aa2e48d5dab8ee95f8/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/photos?count=60&offset=60&merged=true&country=&camera=0&lens=0&label=&year=0&month=0&color=&order=newest&q=&public=true&quality=3 HTTP
/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/photos?count=360&offset=0&merged=true&country=&camera=0&lens=0&label=&year=0&month=0&color=&order=newest&q=&public=true&quality=3 HTTP
/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/086caf57d55b9f67160b44f057fbdb49b119953b/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/bc167a7e768b6c0003319472843bbfb7b6ecc6ba/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/857e4d65c7ca2b048441b42c15ae2934c5ea0783/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/345d0e6e099904675ad3e59eaf44df3e5040ffed/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/f9fff54e8b2aa460e74a46ed8b8d8d51c5993a3d/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/f169e096144e345ad804886b1418b73225a9b786/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/19fd8dc3feb4380bc603537a1aafefb11e6bc7cb/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/3606bb61e0845357df30d246345c41c2e15eefef/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/0f0c1bdb876354610c6c7e4de2c43b49ecd52e11/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/a9d5f2772653a10de9f7bbe87048fbe03e698c70/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/8b527497c7f1deef8167d4b9b7d161945467d243/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/fb9071c2810ba6378a4c1b6ec28300f92dcd7183/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/d704e00a01afe79391df52076c18254af04ef540/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/fe5404d87393d7c74e37d775e848fbd471bdd68a/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/a404118386cfb6609065cb88c07621b181a55658/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:48 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /api/v1/t/7d6551700180e692e4e2e885e69c9d8f270e3690/9364f06e/tile_500 HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
2021/05/31 17:55:52 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /browse HTTP/2.0", host: "lenovo"
2021/05/31 17:55:52 [error] 2535709#2535709: *2 ignoring authentication request - in evasion period, client: 10.42.0.24, server: lenovo, request: "GET /favicon.ico HTTP/2.0", host: "lenovo", referrer: "https://lenovo/browse"
I think the twice password
may have to do with the server ignoring
the first authentication request
, for reasons it screams, that it is in evasion period
. And then the subsequent request gets served, which is odd.
@rickysarraf The comparison went wrong. I have fixed the pull request and test it, for me it works now. Can you also check: https://github.com/samizdatco/nginx-http-auth-digest/pull/35
@rickysarraf The comparison went wrong. I have fixed the pull request and test it, for me it works now. Can you also check: samizdatco#35
Good day @erikdubbelboer Thank you for the revised fix. That does indeed solve the problem and behaves as one would expect.
I have a config snippet like:
and secrets
I can authenticate proper with the realm defined for
general
in my secrets. Then, when I switch to URL/discover
, I expect the auth digest to kick in again, for realmabc
. But that doesn't happen. Instead, with the credentials validated fromgeneral
realm, it proceeds to/discover
without prompting for any further auth.So, how is
auth_digest
supposed to be used ?I'm running nginx
1.18.0
, withhttp-auth-digest
from this repo.