search

cloudflare / nginx-google-oauth

Lua module to add Google OAuth to nginx
https://blog.cloudflare.com/
MIT License
429 stars 100 forks source link

whitelist some IPs #13

Closed danielmotaleite closed 7 years ago

danielmotaleite commented 7 years ago

Hi

We need to whitelist some internal IPs ... how to achieve this? i'm trying this, but does not seem to work:

allow 192.168.1.1/32;
satisfy all;

If there is no support for this, how about adding $ngo_whitelist_ip and $ngo_blacklist_ip , that will bypass oauth and always return 403 respectively

bobrik commented 7 years ago

I tested and it works:

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";

    allow 172.17.0.1;
    deny all;

    satisfy all;

I think you missed deny all in your config.

danielmotaleite commented 7 years ago

you are almost right! :)

i got confused by my setup, as i already had basic auth enabled and i had oauth on top of that. i have done the tests with it enabled... only after i removed the basic auth and testing again i'm getting the expected results

so for blacklist, this works:

    deny 172.17.0.1;
    satisfy all

for whitelist (ie: disable oauth for this ip) , this works:

    allow 172.17.0.1;
    satisfy any;

the deny all is really not needed, but notice the satisfy any

for allowing only one ip ( block all others) but still oauth it , this works:

    allow 172.17.0.1;
    deny all;
    satisfy all;

i will add a small note about this to the readme thanks for the help