hjone72 / PlexAuth

Plex based authentication using PHP
GNU General Public License v3.0
101 stars 5 forks source link

Disable Auth on location #5

Closed pablolop002 closed 7 years ago

pablolop002 commented 7 years ago

I want to disable auth on a location (/RPC for rutorrent) and set auth basic but auth_request off, and auth_request "off", doesn't work. I'm using your musimux implementation.

hjone72 commented 7 years ago

Hi,

Can you include more of your location block please?

Here is a snippet from mine that is working how you desire:

        location /htpc {
            auth_request "off";
            proxy_pass https://127.0.0.1:8085;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }

Can you please confirm that you restarted nginx after making the config change?

Thanks,

pablolop002 commented 7 years ago

My location block is:

location /RPC2 {
            auth_request "off";
            include scgi_params;
            scgi_pass localhost:5000;
            scgi_param SCRIPT_NAME /RPC2;
            auth_basic "Restricted";
            auth_basic_user_file /path/to/.htpasswd;
        }

Without auth_basic it works, but I need to secure the location.

Thanks for your response.

hjone72 commented 7 years ago

I've been able to recreate your issue. I'm looking to see if I can find a solution for you, but this may be a restriction with nginx or the auth_request module. For now, a quick solution would be to only include auth_request in the location blocks you want to protect with PlexAuth instead of having it in the main server block.

Here is an example (Note: this config is not complete and will not work):

server {
        auth_request /auth/;  #Remove this line.

        error_page 401 = @error401;
        location @error401 {
            add_header 'X-AfterAuth' 'test';
            add_header X-Original-URI $request_uri;
            if ($return != false) {
                rewrite ^ https://secure.domain.com?return=$return_host$return redirect;
            }
            return 302 https://secure.domain.com;
        }

        location /nzbget {
            ###############
            auth_request /auth/; #Put it in each location block instead.
            ###############
            proxy_pass http://127.0.0.1:6789;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }
}

Hope this quick fix will help you out until a permanent solution can be found...

pablolop002 commented 7 years ago

I've been able to recreate your issue. I'm looking to see if I can find a solution for you, but this may be a restriction with nginx or the auth_request module.

Thanks you about this.

For now, a quick solution would be to only include auth_request in the location blocks you want to protect with PlexAuth instead of having it in the main server block.

About this solution, I don't have auth_request in the main server block. This is my server block config:

    server {

        listen 80;
        server_name domain.com;

        error_log /var/log/nginx/www.error.log info;
        access_log /var/log/nginx/www.access.log;

        root /usr/share/nginx/html/plexauth;
        index index.php;

        set $return $request_uri;
        set $return_host $host;

        error_page 401 = @error401;
        location @error401 {
            add_header 'X-AfterAuth' 'test';
            add_header X-Original-URI $request_uri;
            if ($return != false) {
                rewrite ^ http://domain.com?return=$return_host$return redirect;
            }
            return 302 http://domain.com;
        }

        error_page 403 = @error403;
        location @error403 {
            return 302 http://domain.com/ad.html;
        }

        location ~ \.php$ {
            try_files $uri =404; 
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi.conf;
        }

        location /admin_auth/ {
            proxy_pass http://localhost:8087/auth/index.php?admin=true&uri=$return;
            proxy_pass_request_body off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Original-URI $request_uri;
            proxy_set_header Content-Length '0';
        }

        location /auth/ {
            proxy_pass http://localhost:8087/auth/;
            proxy_pass_request_body off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Original-URI $request_uri;
            proxy_set_header Content-Length '0';
        }

        location /content {
                auth_request /auth/;
                root /var/www/html/index.html;
        }

        location /admin_content { 
                auth_request /admin_auth/;
                root /var/www/html/index.html;
        }

        location /RPC2 {
            auth_request "off";
            include scgi_params;
            scgi_pass 127.0.0.1:5000;
            scgi_param SCRIPT_NAME /RPC2;
        }

    }

And the localhost server block:

    server {
        server_name = localhost;

        listen 8087;
        error_log /var/log/nginx-auth-error.log info;

        root /usr/share/nginx/html/plexauth;
        index index.php index.html;

        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi.conf;
        }
    }

Again, thanks you so much.

hjone72 commented 7 years ago

Can you please try adding satisfy any; to the RPC2 location block?

        location /RPC2 {
            satisfy any;
            auth_basic "Restricted";
            auth_basic_user_file /path/to/file;
            auth_request "off";
            include scgi_params;
            scgi_pass 127.0.0.1:5000;
            scgi_param SCRIPT_NAME /RPC2;
        }
pablolop002 commented 7 years ago

Can you please try adding satisfy any; to the RPC2 location block?

    location /RPC2 {
        satisfy any;
        auth_basic "Restricted";
        auth_basic_user_file /path/to/file;
        auth_request "off";
        include scgi_params;
        scgi_pass 127.0.0.1:5000;
        scgi_param SCRIPT_NAME /RPC2;
    }

This does not work :(

hjone72 commented 7 years ago

Okay, so I found the issue.

It seems to be a problem with error_page 401 = @error401;

If you comment that line out the config will work as you are expecting. However will not redirect unauthenticated users to the login screen for other situations. You may need to make some modifications for your specific setup for this to work as desired.

Just working out how you might go about this.

hjone72 commented 7 years ago

My suggestion would be to change PlexAuth to return a code other than 401. Then within nginx capture that code. I don't think there will be any other options with this one...

pablolop002 commented 7 years ago

I solve this with a 302 redirect and a subdomain.